[strongSwan] Don't know where to start

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Apr 27 15:12:04 CEST 2017 

Hello René,

On 27.04.2017 14:12, Rene Maurer wrote:
> Sorry for not answering so long.
> Unfortunately the problem is still pending.
> 
> The remote site (which I cannot control for now) says that
> the tunnel is up and running (!) but on my site I still ha> 
> Security Associations (1 up, 0 connecting):
>         home[1]: CONNECTING,
> 
> and this should be ESTABLISHED I think? (a ping from my site 10.4.48.5 to
> the remote site 10.4.30.11 is not possible).

Well, what the remote side's personell is telling you isn't true then.

> 
> Still I do not see a response to child_sa  ikev2_auth[I]:
> 11:26:44.073488 IP 10.0.54.146.500 > 83.137.25.197.500: isakmp: parent_sa ikev2_init[I]
> 11:26:45.256562 IP 83.137.25.197.500 > 10.0.54.146.500: isakmp: parent_sa ikev2_init[R]
> 11:26:45.379980 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 11:26:49.388349 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]

Obviously the remote peer does not respond to the request.

> 
> Do you agree that is the source of the problem?
> 

Yes.

> In case I switch "type=tunnel" to "type=transport" I see (as expected):
> 11:25:22.706710 IP 10.0.54.146.500 > 83.137.25.197.500: isakmp: parent_sa ikev2_init[I]
> 11:25:23.752559 IP 83.137.25.197.500 > 10.0.54.146.500: isakmp: parent_sa ikev2_init[R]
> 11:25:23.884131 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 11:25:24.003467 IP 83.137.25.197.4500 > 10.0.54.146.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[R]
> 
> But transport is not what i want, I assume....

Yes, you don't need transport mode.

> 
> Do you have an idea what I can do without having full access to the remote site?
> 

Acquire full access, educate the personell that runs it or try to apply pressure from the superiors.

Kind regards,
Noel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170427/40202af6/attachment.sig>

More information about the Users mailing list