[strongSwan] Don't know where to start

Rene Maurer renemaur at gmail.com
Thu Apr 27 14:03:21 CEST 2017

Hello Noel

Noel Kuntze <noel at familie-kuntze.de> wrote:

>> But when I look at the log on my site together with
>> "tcpdump -i ppp0", I have the impression that ikev2_auth
>> is sent (once).  
> This looks good. Check if that packet makes it there. Some IKE implementations
> just drop all packets from other peers when authentication fails and report a local
> error instead of sending a noficication back.

Sorry for not answering so long.
Unfortunately the problem is still pending.

The remote site (which I cannot control for now) says that
the tunnel is up and running (!) but on my site I still have

Security Associations (1 up, 0 connecting):
        home[1]: CONNECTING,

and this should be ESTABLISHED I think? (a ping from my site to
the remote site is not possible).

Still I do not see a response to child_sa  ikev2_auth[I]:
11:26:44.073488 IP > isakmp: parent_sa ikev2_init[I]
11:26:45.256562 IP > isakmp: parent_sa ikev2_init[R]
11:26:45.379980 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:26:49.388349 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[I]

Do you agree that is the source of the problem?

In case I switch "type=tunnel" to "type=transport" I see (as expected):
11:25:22.706710 IP > isakmp: parent_sa ikev2_init[I]
11:25:23.752559 IP > isakmp: parent_sa ikev2_init[R]
11:25:23.884131 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[I]
11:25:24.003467 IP > NONESP-encap: isakmp: child_sa  ikev2_auth[R]

But transport is not what i want, I assume....

Do you have an idea what I can do without having full access to the remote site?

Kind regards


More information about the Users mailing list