[strongSwan] Don't know where to start

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 27 15:12:04 CEST 2017

Hello René,

On 27.04.2017 14:12, Rene Maurer wrote:
> Sorry for not answering so long.
> Unfortunately the problem is still pending.
> The remote site (which I cannot control for now) says that
> the tunnel is up and running (!) but on my site I still ha> 
> Security Associations (1 up, 0 connecting):
>         home[1]: CONNECTING,
> and this should be ESTABLISHED I think? (a ping from my site to
> the remote site is not possible).

Well, what the remote side's personell is telling you isn't true then.

> Still I do not see a response to child_sa  ikev2_auth[I]:
> 11:26:44.073488 IP > isakmp: parent_sa ikev2_init[I]
> 11:26:45.256562 IP > isakmp: parent_sa ikev2_init[R]
> 11:26:45.379980 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 11:26:49.388349 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[I]

Obviously the remote peer does not respond to the request.

> Do you agree that is the source of the problem?


> In case I switch "type=tunnel" to "type=transport" I see (as expected):
> 11:25:22.706710 IP > isakmp: parent_sa ikev2_init[I]
> 11:25:23.752559 IP > isakmp: parent_sa ikev2_init[R]
> 11:25:23.884131 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 11:25:24.003467 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[R]
> But transport is not what i want, I assume....

Yes, you don't need transport mode.

> Do you have an idea what I can do without having full access to the remote site?

Acquire full access, educate the personell that runs it or try to apply pressure from the superiors.

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170427/40202af6/attachment.sig>

More information about the Users mailing list