[strongSwan] received retransmit of response with ID 0, but next request already sent
hakke_007 at gmx.de
Sun Oct 26 19:24:46 CET 2014
On Oct 26, 2014 6:58 PM, =?ISO-8859-1?Q?Axel_Z=F6llich?= <a.zoellich at kirsch.zoellich.de> wrote:
> Thanks for your answer Thomas,
> > On 10/23/2014 02:07 PM, Axel Zöllich wrote:
> > > Am Mittwoch, 22. Oktober 2014, 17:49:16 schrieb Axel Zöllich:
> > >> Right side reseted there "draytek vigor 2860" e voila: le tunnel
> > >> c'etablit.
> > >> I don't like this kind of solutions...
> > >
> > > but the right side is still resending a package (13 and 23)?
> > I'm not sure what you mean by 13 and 23. I can however
> > see that again your peer is not responding to your first
> > encrypted request (btw: the connection is supposed to be
> > authenticated pre-shared keys).
> 13 and 23 are package numbers in the wireshark recording.
> > Can you please do the following:
> > 'ipsec stroke loglevel ike 4' # this should show us the
> > keying material (unlike my first advice it's the ike
> > facility, not the enc facility).
> > Then try to get your draytek to initiate the connection
> > so we can see if the packets can be
> > a) decrypted
> > b) authenticated using PSK
> I'll ask the peer admin to do so tomorrow.
> In my understanding with "auto=route" I put strongswan ipsec in listening mode
> as it's awaiting packages. This should be suitable to allow the connection be
> initiated by the draytek, shouldn't it?
Yes, it should respond to the draytek's requests. You'd better use 'add' to avoid involuntary tunnel initiations from behind your charon box. However, what I meant was to have a *red* peer from behind the draytek sent traffic to a peer behind the charon box. Charon will then respond and with ike loglevel 4 print keys and hopefully rule out/reveal a problem with encryption or with authentication.
(All typos are courtesy of my phone).
> conn jung
> Axel Zöllich
> Vorgebirgstraße 39, 50677 Köln
> Tel:+49 (0)221 3777534
> Fax:+49 (0)221 3762479
> Users mailing list
> Users at lists.strongswan.org
More information about the Users