[strongSwan] How to connect strongSwan 5.1.3 to Openswan 2.6.37?
Noel Kuntze
noel at familie-kuntze.de
Tue Apr 7 10:57:27 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Klaus,
Did you try setting
esp=aes128-sha1-modp2048!
on the strongswan side?
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 07.04.2015 um 10:51 schrieb Klaus Schmidinger:
> I am trying to connect a newly set up server, running openSUSE 13.2 (kernel
> 3.16.7-7-default) and strongSwan 5.1.3, to an existing router that runs OpenWRT
> Backfire 10.03.1 (kernel 2.6.32.27) and Openswan IPsec 2.6.37.
>
> The IKE phase of setting up the connection appears to work, but the ESP phase fails with
>
> Apr 7 10:05:39 racoon2 ipsec[12837]: 08[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ
> Apr 7 10:05:39 racoon2 ipsec[12837]: 08[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Apr 7 10:05:39 racoon2 ipsec[12837]: 08[IKE] received 28800s lifetime, configured 3600s
> Apr 7 10:05:39 racoon2 ipsec[12837]: 08[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
>
> (this is the log on the strongSwan side).
>
> No matter what I do, I can't seem to get the two to agree on an algorithm.
> I already tried the suggestion from
>
> https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#no-proposal-chosen-returned-by-ZyXELLinksysx-router
>
> but that didn't help.
>
> I would greatly appreciate any hints that might help me get this connection
> up and running.
>
>
> Following are logs and configurations on both machines. Maybe somebody
> with better knowledge of this subject can see what's wrong here:
>
> Here's the complete log on the strongSwan side:
>
> Apr 7 10:22:56 racoon2 ipsec[12960]: Starting strongSwan 5.1.3 IPsec [starter]...
> Apr 7 10:22:56 racoon2 ipsec_starter[12960]: Starting strongSwan 5.1.3 IPsec [starter]...
> Apr 7 10:22:56 racoon2 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 3.16.7-7-default, x86_64)
> Apr 7 10:22:56 racoon2 charon: 00[LIB] openssl FIPS mode(0) - disabled
> Apr 7 10:22:56 racoon2 charon: 00[CFG] HA config misses local/remote address
> Apr 7 10:22:56 racoon2 charon: 00[LIB] plugin 'ha': failed to load - ha_plugin_create returned NULL
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loaded IKE secret for @panther.tvdr.de @racoon2.tvdr.de
> Apr 7 10:22:56 racoon2 charon: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
> Apr 7 10:22:56 racoon2 charon: 00[CFG] loaded 0 RADIUS server configurations
> Apr 7 10:22:56 racoon2 charon: 00[TNC] TNC recommendation policy is 'default'
> Apr 7 10:22:56 racoon2 charon: 00[TNC] loading IMVs from '/etc/tnc_config'
> Apr 7 10:22:56 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
> Apr 7 10:22:56 racoon2 charon: 00[CFG] missing PDP server name, PDP disabled
> Apr 7 10:22:56 racoon2 charon: 00[TNC] loading IMCs from '/etc/tnc_config'
> Apr 7 10:22:56 racoon2 charon: 00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
> Apr 7 10:22:56 racoon2 charon: 00[CFG] coupling file path unspecified
> Apr 7 10:22:56 racoon2 charon: 00[LIB] loaded plugins: charon curl soup ldap pkcs11 aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp certexpire led duplicheck radattr addrblock unity
> Apr 7 10:22:56 racoon2 charon: 00[LIB] unable to load 15 plugin features (12 due to unmet dependencies)
> Apr 7 10:22:56 racoon2 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
> Apr 7 10:22:56 racoon2 charon: 00[JOB] spawning 16 worker threads
> Apr 7 10:22:56 racoon2 ipsec_starter[12960]: charon (12969) started after 40 ms
> Apr 7 10:22:56 racoon2 charon: 02[CFG] received stroke: add connection 'racoon2-panthernet'
> Apr 7 10:22:56 racoon2 charon: 02[CFG] added configuration 'racoon2-panthernet'
> Apr 7 10:22:56 racoon2 charon: 08[CFG] received stroke: initiate 'racoon2-panthernet'
> Apr 7 10:22:56 racoon2 charon: 08[IKE] unable to resolve %any, initiate aborted
> Apr 7 10:22:56 racoon2 charon: 08[MGR] tried to check-in and delete nonexisting IKE_SA
> Apr 7 10:22:56 racoon2 ipsec[12960]: charon (12969) started after 40 ms
> Apr 7 10:23:09 racoon2 charon: 10[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (592 bytes)
> Apr 7 10:23:09 racoon2 charon: 10[ENC] parsed ID_PROT request 0 [ SA V V V V V V V ]
> Apr 7 10:23:09 racoon2 charon: 10[ENC] received unknown vendor ID: 4f:45:75:5c:64:5c:6a:79:5c:5c:61:70
> Apr 7 10:23:09 racoon2 charon: 10[IKE] received DPD vendor ID
> Apr 7 10:23:09 racoon2 charon: 10[IKE] received NAT-T (RFC 3947) vendor ID
> Apr 7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
> Apr 7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
> Apr 7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
> Apr 7 10:23:09 racoon2 charon: 10[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
> Apr 7 10:23:09 racoon2 charon: 10[IKE] 93.212.212.36 is initiating a Main Mode IKE_SA
> Apr 7 10:23:09 racoon2 charon: 10[IKE] 93.212.212.36 is initiating a Main Mode IKE_SA
> Apr 7 10:23:09 racoon2 charon: 10[ENC] generating ID_PROT response 0 [ SA V V V ]
> Apr 7 10:23:09 racoon2 charon: 10[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (136 bytes)
> Apr 7 10:23:09 racoon2 charon: 11[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (356 bytes)
> Apr 7 10:23:09 racoon2 charon: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
> Apr 7 10:23:09 racoon2 charon: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
> Apr 7 10:23:09 racoon2 charon: 11[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (372 bytes)
> Apr 7 10:23:09 racoon2 charon: 12[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (76 bytes)
> Apr 7 10:23:09 racoon2 charon: 12[ENC] parsed ID_PROT request 0 [ ID HASH ]
> Apr 7 10:23:09 racoon2 charon: 12[CFG] looking for pre-shared key peer configs matching 88.198.76.220...93.212.212.36[panther.tvdr.de]
> Apr 7 10:23:09 racoon2 charon: 12[CFG] selected peer config "racoon2-panthernet"
> Apr 7 10:23:09 racoon2 charon: 12[IKE] IKE_SA racoon2-panthernet[2] established between 88.198.76.220[racoon2.tvdr.de]...93.212.212.36[panther.tvdr.de]
> Apr 7 10:23:09 racoon2 charon: 12[IKE] IKE_SA racoon2-panthernet[2] established between 88.198.76.220[racoon2.tvdr.de]...93.212.212.36[panther.tvdr.de]
> Apr 7 10:23:09 racoon2 charon: 12[IKE] scheduling reauthentication in 10047s
> Apr 7 10:23:09 racoon2 charon: 12[IKE] maximum IKE_SA lifetime 10587s
> Apr 7 10:23:09 racoon2 charon: 12[ENC] generating ID_PROT response 0 [ ID HASH ]
> Apr 7 10:23:09 racoon2 charon: 12[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (76 bytes)
> Apr 7 10:23:10 racoon2 charon: 14[NET] received packet: from 93.212.212.36[500] to 88.198.76.220[500] (508 bytes)
> Apr 7 10:23:10 racoon2 charon: 14[ENC] parsed QUICK_MODE request 2128104217 [ HASH SA No KE ID ID ]
> Apr 7 10:23:10 racoon2 charon: 14[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/MODP_2048/NO_EXT_SEQ
> Apr 7 10:23:10 racoon2 charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
> Apr 7 10:23:10 racoon2 charon: 14[IKE] received 28800s lifetime, configured 3600s
> Apr 7 10:23:10 racoon2 charon: 14[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
> Apr 7 10:23:10 racoon2 charon: 14[ENC] generating INFORMATIONAL_V1 request 2256479768 [ HASH N(NO_PROP) ]
> Apr 7 10:23:10 racoon2 charon: 14[NET] sending packet: from 88.198.76.220[500] to 93.212.212.36[500] (76 bytes)
>
> And here's the log on the Openswan side:
>
> Apr 7 10:23:05 panther user.info kernel: klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.6.37
> Apr 7 10:23:05 panther user.info kernel: NET: Registered protocol family 15
> Apr 7 10:23:05 panther user.warn kernel: registered KLIPS /proc/sys/net
> Apr 7 10:23:05 panther user.info kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
> Apr 7 10:23:05 panther user.info kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
> Apr 7 10:23:05 panther user.warn kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
> Apr 7 10:23:05 panther user.warn kernel: ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0
> Apr 7 10:23:05 panther user.warn kernel: ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
> Apr 7 10:23:05 panther user.info kernel: KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0)
> Apr 7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(twofish): not found
> Apr 7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(serpent): not found
> Apr 7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(cast5): not found
> Apr 7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(blowfish): not found
> Apr 7 10:23:05 panther user.info kernel: KLIPS: lookup for ciphername=cbc(des3_ede): not found
> Apr 7 10:23:06 panther daemon.err ipsec_setup: KLIPS debug `none'
> Apr 7 10:23:06 panther daemon.err ipsec_setup: KLIPS ipsec0 on pppoe-wan 93.212.212.36/ pointtopoint 217.0.119.8/32 mtu 1492
> Apr 7 10:23:07 panther authpriv.err ipsec__plutorun: Starting Pluto subsystem...
> Apr 7 10:23:07 panther daemon.err ipsec_setup: ...Openswan IPsec started
> Apr 7 10:23:07 panther daemon.err ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
> Apr 7 10:23:07 panther user.warn syslog: adjusting ipsec.d to /etc/ipsec.d
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: LEAK_DETECTIVE support [disabled]
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: OCF support for IKE [disabled]
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: SAref support [disabled]: Protocol not available
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: SAbind support [disabled]: Protocol not available
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: NSS support [disabled]
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: HAVE_STATSD notification support not compiled in
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Setting NAT-Traversal port-4500 floating to on
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: port floating activation criteria nat_t=1/port_float=1
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: NAT-Traversal support [enabled]
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: using /dev/urandom as source of random entropy
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: starting up 1 cryptographic helpers
> Apr 7 10:23:07 panther authpriv.warn pluto[8636]: using /dev/urandom as source of random entropy
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: started helper pid=8636 (fd:6)
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Kernel interface auto-pick
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: No Kernel NETKEY interface detected
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Using KLIPS IPsec interface code on 2.6.32.27
> Apr 7 10:23:07 panther daemon.err ipsec_setup: Starting Openswan IPsec 2.6.37...
> Apr 7 10:23:07 panther daemon.err ipsec_setup: ipsec0 -> NULL mtu=0(0) -> 0
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Changed path to directory '/etc/ipsec.d/cacerts'
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Changed path to directory '/etc/ipsec.d/aacerts'
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Changed path to directory '/etc/ipsec.d/ocspcerts'
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Changing to directory '/etc/ipsec.d/crls'
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: Warning: empty directory
> Apr 7 10:23:07 panther authpriv.warn pluto[8629]: added connection description "racoon2-panthernet"
> Apr 7 10:23:07 panther daemon.err ipsec__plutorun: 002 added connection description "racoon2-panthernet"
> Apr 7 10:23:08 panther authpriv.warn pluto[8629]: listening for IKE messages
> Apr 7 10:23:08 panther authpriv.warn pluto[8629]: adding interface ipsec0/pppoe-wan 93.212.212.36:500
> Apr 7 10:23:08 panther authpriv.warn pluto[8629]: adding interface ipsec0/pppoe-wan 93.212.212.36:4500
> Apr 7 10:23:08 panther authpriv.warn pluto[8629]: loading secrets from "/etc/ipsec.secrets"
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: initiating Main Mode
> Apr 7 10:23:09 panther daemon.err ipsec__plutorun: 104 "racoon2-panthernet" #2: STATE_MAIN_I1: initiate
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Vendor ID payload [XAUTH]
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Vendor ID payload [Dead Peer Detection]
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Vendor ID payload [RFC 3947] method set to=109
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: enabling possible NAT-traversal with method 4
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: STATE_MAIN_I2: sent MI2, expecting MR2
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: Main mode peer ID is ID_FQDN: '@racoon2.tvdr.de'
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
> Apr 7 10:23:09 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:194bd87e proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
> Apr 7 10:23:10 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> Apr 7 10:23:10 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received and ignored informational message
> Apr 7 10:23:18 panther authpriv.warn pluto[8629]: initiate on demand from 192.168.100.2:0 to 88.198.76.220:0 proto=0 state: fos_start because: acquire
> Apr 7 10:23:18 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#2 msgid:f62db0f3 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
> Apr 7 10:23:18 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> Apr 7 10:23:18 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received and ignored informational message
> Apr 7 10:23:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: ignoring informational payload, type INVALID_HASH_INFORMATION msgid=00000000
> Apr 7 10:23:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received and ignored informational message
> Apr 7 10:23:34 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #2: received Delete SA payload: deleting ISAKMP State #2
> Apr 7 10:23:34 panther authpriv.warn pluto[8629]: packet from 88.198.76.220:500: received and ignored informational message
> Apr 7 10:23:34 panther authpriv.warn pluto[8629]: ERROR: asynchronous network error report on pppoe-wan (sport=500) for message to 88.198.76.220 port 500, complainant 88.198.76.220: Connection refused [errno 146, origin ICMP type 3 code 3 (not authenticated)]
> Apr 7 10:23:40 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: ERROR: asynchronous network error report on pppoe-wan (sport=500) for message to 88.198.76.220 port 500, complainant 88.198.76.220: Connection refused [errno 146, origin ICMP type 3 code 3 (not aut
> Apr 7 10:23:48 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #5: ERROR: asynchronous network error report on pppoe-wan (sport=500) for message to 88.198.76.220 port 500, complainant 88.198.76.220: Connection refused [errno 146, origin ICMP type 3 code 3 (not aut
> Apr 7 10:24:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> Apr 7 10:24:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #4: starting keying attempt 2 of an unlimited number
> Apr 7 10:24:20 panther authpriv.warn pluto[8629]: "racoon2-panthernet" #6: initiating Main Mode
>
> The /etc/ipsec.conf on the strongSwan side is:
>
> ----------------------------------------------------------------------------------------------
> conn racoon2-panthernet
> also=racoon2
> also=panther
> rightsubnet=192.168.100.0/24
> authby=secret
> keyexchange=ikev1
> auto=start
>
> conn racoon2
> leftid=@racoon2.tvdr.de
> left=88.198.76.220
>
> conn panther
> rightid=@panther.tvdr.de
> right=%any
> ----------------------------------------------------------------------------------------------
>
> The /etc/ipsec.conf on the Openswan side is:
>
> ----------------------------------------------------------------------------------------------
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> oe=off
> protostack=auto
>
> conn panther
> leftid=@panther.tvdr.de
> left=%defaultroute
>
> conn racoon2-panthernet
> also=racoon2
> also=panther
> leftsubnet=192.168.100.0/24
> authby=secret
> auto=start
>
> conn racoon2
> rightid=@racoon2.tvdr.de
> right=88.198.76.220
> ----------------------------------------------------------------------------------------------
>
> The /etc/ipsec.secrets on both sides is:
>
> ----------------------------------------------------------------------------------------------
> @panther.tvdr.de @racoon2.tvdr.de : PSK "MySecretFakePassword"
> ----------------------------------------------------------------------------------------------
>
>
> Klaus Schmidinger
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVI5v0AAoJEDg5KY9j7GZYv9IP/A8fR3JXYmr5449bAsmQ9wdB
XBcoskxusbJ6BUf/mypyvxMQTOMg2z6aE88U+W76mZGhFqg291nvl9kJJ4yLTz/y
Z+oVph3ymEyOVmeO2zRIoqNc3jHS0O+GJffrPslP4cr+7hMjLfllhGlhH7aZV1kZ
WBZ3GqtbAs31zJLezHi/R8W5LGBqiAdtEpz5MaXieL8mtqk4JA9d0XtFKYWfvtGu
LD3NAQ7dUMoH930YUQamMI2IE5ctTHJmmh6m7NcnbHORUcOksM7F0vPiJNlE4G4v
aF8A047+Hx+9dDXGIv6mYgqr0OyBPTQgShP9B9sCd7hEKiAuukWt7ZlbDGk4d8Cd
YKvtZ2DrVGRblgpXt/+HvApcOM2+mniyeu63noL3a7Zfg+I7mfSn0dceazamODsg
am9XLroMR82IUXwkhbVvtSdmc/Ri++52aqithBd5zBwhqCSAGZKRiXPI0twFsMtA
PD6q5kAyjZf+35/MGQ6PyTUvsl0owupGqnGBbfIgzIM4V90Fcor1LPuoB1LH5yxH
czOXmuIlnCZAUz7wCV4ehkuxTmoyz1EtrS6kRCiZeFW1cG1izY8JJ8pXRLeoy4h9
JDLxhIuVSb70Se4pfxiOFBMfuoNkqmXjicF0aplsXYdhcXXQ9aUEyCqMqkF13X9B
7tsNqH3BeswnfChPE2Zd
=zm19
-----END PGP SIGNATURE-----
More information about the Users
mailing list