[strongSwan] Migration from OpenSWAN to StrongSWAN problem.
Tobias Brunner
tobias at strongswan.org
Tue Dec 4 12:07:30 CET 2018
Hi,
> Dec 2 15:34:13 charon-custom: 11[ENC] generating IKE_SA_INIT request 0
> [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> ...
> Dec 2 15:34:49 charon-custom: 10[ENC] parsed ID_PROT request 0 [ SA V V
> V V V V V V ]
strongSwan tries to initiate an IKEv2 connection, while the peer
concurrently initiates an IKEv1 connection, whose two CHILD_SAs are
actually established successfully:
> Dec 2 15:34:50 charon-custom: 04[IKE] CHILD_SA azure1{1} established
> with SPIs ca324e62_i 24d548c4_o and TS 10.1.0.0/16 === 10.5.0.0/24
> ...
> Dec 2 15:34:50 charon-custom: 16[IKE] CHILD_SA azure2{2} established
> with SPIs cd87fa1d_i c89fa3be_o and TS 10.2.0.0/16 === 10.5.0.0/24
> Dec 2 15:36:58 charon-custom: 11[IKE] giving up after 5 retransmits
> Dec 2 15:36:58 charon-custom: 11[IKE] establishing IKE_SA failed, peer
> not responding
>
> Any idea what is wrong here?
That's just the IKEv2 SA that's abandoned because the peer never
responded to the request. You still have the IKEv1 SA with two
CHILD_SAs established. Anyway, configure both to use the same IKE
version (preferably IKEv2, but to use IKEv1 configure keyexchange=ikev1
in ipsec.conf).
Regards,
Tobias
More information about the Users
mailing list