[strongSwan] Don't know where to start
Rene Maurer
renemaur at gmail.com
Thu Apr 27 14:03:21 CEST 2017
Hello Noel
Noel Kuntze <noel at familie-kuntze.de> wrote:
>> But when I look at the log on my site together with
>> "tcpdump -i ppp0", I have the impression that ikev2_auth
>> is sent (once).
>
> This looks good. Check if that packet makes it there. Some IKE implementations
> just drop all packets from other peers when authentication fails and report a local
> error instead of sending a noficication back.
Sorry for not answering so long.
Unfortunately the problem is still pending.
The remote site (which I cannot control for now) says that
the tunnel is up and running (!) but on my site I still have
Security Associations (1 up, 0 connecting):
home[1]: CONNECTING,
and this should be ESTABLISHED I think? (a ping from my site 10.4.48.5 to
the remote site 10.4.30.11 is not possible).
Still I do not see a response to child_sa ikev2_auth[I]:
11:26:44.073488 IP 10.0.54.146.500 > 83.137.25.197.500: isakmp: parent_sa ikev2_init[I]
11:26:45.256562 IP 83.137.25.197.500 > 10.0.54.146.500: isakmp: parent_sa ikev2_init[R]
11:26:45.379980 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:26:49.388349 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
Do you agree that is the source of the problem?
In case I switch "type=tunnel" to "type=transport" I see (as expected):
11:25:22.706710 IP 10.0.54.146.500 > 83.137.25.197.500: isakmp: parent_sa ikev2_init[I]
11:25:23.752559 IP 83.137.25.197.500 > 10.0.54.146.500: isakmp: parent_sa ikev2_init[R]
11:25:23.884131 IP 10.0.54.146.4500 > 83.137.25.197.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
11:25:24.003467 IP 83.137.25.197.4500 > 10.0.54.146.4500: NONESP-encap: isakmp: child_sa ikev2_auth[R]
But transport is not what i want, I assume....
Do you have an idea what I can do without having full access to the remote site?
Kind regards
René
More information about the Users
mailing list