[strongSwan] Couldn't establish IKEv2 vpn connection using strongswan, log shows timeout

Giuseppe De Marco giuseppe.demarco at unical.it
Tue Nov 7 13:40:35 CET 2017


Hi Joshua,

from client side you should also read some auth failures.
Probably it means that the ca.crt is not valid or client doesn't understand
the auth-type because of missing plugin dependencies, It could depend by
the client type as well, if Linux with charon-cmd you have to specify the
--cert path. IKE_SA goes in timeout, this is the information and it depends
by the client that cannot understand the incoming packets.

The more important thing is your configuration, you should let us read it.
If your tunnel never worked you could also think to re-configure it from
scratch, I produced this scripts to introduce me in ikev2:

https://github.com/peppelinux/UniTools/tree/master/IPSec

hope this helps, I'm not a strongswan veteran, problably someone could help
you better then me :)

2017-11-07 12:11 GMT+01:00 Joshua Nocturne <joshua.nocturne at gmail.com>:

> Hello,
>     I got some problems about the configuration of strongswan, no matter
> how I configured the IKEv2 connection just couldn't establish. The
> strongswan's log is like this:
> Nov  7 18:52:21 05[NET] <1> received packet: from 183.131.17.162[380] to
> 47.90.13.129[500] (616 bytes)
> Nov  7 18:52:21 05[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Nov  7 18:52:21 05[IKE] <1> received MS NT5 ISAKMPOAKLEY v9 vendor ID
> Nov  7 18:52:21 05[IKE] <1> received MS-Negotiation Discovery Capable
> vendor ID
> Nov  7 18:52:21 05[IKE] <1> received Vid-Initial-Contact vendor ID
> Nov  7 18:52:21 05[ENC] <1> received unknown vendor ID:
> 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
> Nov  7 18:52:21 05[IKE] <1> 183.131.17.162 is initiating an IKE_SA
> Nov  7 18:52:21 05[IKE] <1> remote host is behind NAT
> Nov  7 18:52:21 05[ENC] <1> generating IKE_SA_INIT response 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Nov  7 18:52:21 05[NET] <1> sending packet: from 47.90.13.129[500] to
> 183.131.17.162[380] (312 bytes)
> Nov  7 18:52:22 16[NET] <1> received packet: from 183.131.17.162[380] to
> 47.90.13.129[500] (616 bytes)
> Nov  7 18:52:22 16[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Nov  7 18:52:22 16[IKE] <1> received retransmit of request with ID 0,
> retransmitting response
> Nov  7 18:52:22 16[NET] <1> sending packet: from 47.90.13.129[500] to
> 183.131.17.162[380] (312 bytes)
> Nov  7 18:52:23 11[NET] <1> received packet: from 183.131.17.162[380] to
> 47.90.13.129[500] (616 bytes)
> Nov  7 18:52:23 11[ENC] <1> parsed IKE_SA_INIT request 0 [ SA KE No
> N(NATD_S_IP) N(NATD_D_IP) V V V V ]
> Nov  7 18:52:23 11[IKE] <1> received retransmit of request with ID 0,
> retransmitting response
> Nov  7 18:52:23 11[NET] <1> sending packet: from 47.90.13.129[500] to
> 183.131.17.162[380] (312 bytes)
> Nov  7 18:52:51 15[JOB] <1> deleting half open IKE_SA after timeout
>
>    Need you help, please.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171107/1a0f9fb6/attachment.html>


More information about the Users mailing list