[strongSwan] Don't know where to start

[Rene Maurer]

(Sorry email again with fixed from-address)

Hello Noel

Noel Kuntze <noel at familie-kuntze.de> wrote:

>> But when I look at the log on my site together with
>> "tcpdump -i ppp0", I have the impression that ikev2_auth
>> is sent (once).    
> 
> This looks good. Check if that packet makes it there. Some IKE implementations
> just drop all packets from other peers when authentication fails and report a local
> error instead of sending a noficication back.  

Sorry for not answering so long.
Unfortunately the problem is still pending.

The remote site (which I cannot control for now) says that
the tunnel is up and running (!) but on my site I still have

Security Associations (1 up, 0 connecting):
        home[1]: CONNECTING,

and this should be ESTABLISHED I think? (a ping from my site 10.4.48.5 to
the remote site 10.4.30.11 is not possible).

Still I do not see a response to child_sa  ikev2_auth[I]:
11:26:44.073488 IP 10.0.54.146.500 > 83.137.25.197.500: isakmp: parent_sa ikev2_init[I]
11:26:45.256562 IP 83.137.25.197.500 > 10.0.54.146.500: isakmp: parent_sa ikev2_init[R]
11:26:45.379980 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:26:49.388349 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]

Do you agree that is the source of the problem?

In case I switch "type=tunnel" to "type=transport" I see (as expected):
11:25:22.706710 IP 10.0.54.146.500 > 83.137.25.197.500: isakmp: parent_sa ikev2_init[I]
11:25:23.752559 IP 83.137.25.197.500 > 10.0.54.146.500: isakmp: parent_sa ikev2_init[R]
11:25:23.884131 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:25:24.003467 IP 83.137.25.197.4500 > 10.0.54.146.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]

But transport is not what i want, I assume....

Do you have an idea what I can do without having full access to the remote site?

Kind regards
René