[strongSwan] ipsec.conf working vs swanctl.conf not working

Marco Berizzi pupilla at hotmail.com
Fri May 4 16:37:46 CEST 2018


Hi Tobias,

> So you're using IKEv1 now?  (Was IKEv2 in your original mail, and you
> should definitely prefer that if you can.)

yes this is another customer. I should have opened another thread.

> Different IKE proposals.  With ipsec.conf the default proposal(s) are
> added to whatever you configure in ike/esp unless that ends with a !.
> With swanctl.conf the default proposal(s) have to be added explicitly to
> the IKE/ESP proposals (e.g. in your example `proposals =
> 3des-sha1-modp1024, default`) .  So that indicates your configured
> proposal is incorrect.  But that's a completely different problem than
> the one you had before with IKEv2.

thanks for the explanation.
I have found the problematic parameter:

reauth_time

decreasing from 24h to 20h I got this message:

[IKE] initiating Main Mode IKE_SA cbt[874] to 31.169.105.210
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (248 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (140 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V ]
[ENC] received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61
[IKE] received DPD vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (244 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (228 bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH ]
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
[ENC] parsed INFORMATIONAL_V1 request 2534754901 [ N(PLD_MAL) ]
[ENC] ignoring unprotected INFORMATIONAL from 31.169.105.210
[IKE] message verification failed
[IKE] ignore malformed INFORMATIONAL request
[IKE] INFORMATIONAL_V1 request with message ID 2534754901 processing failed
[IKE] sending retransmit 1 of request message ID 0, seq 3
[NET] sending packet: from 205.223.229.254[500] to 31.169.105.210[500] (68 bytes)
[NET] received packet: from 31.169.105.210[500] to 205.223.229.254[500] (40 bytes)
[ENC] parsed INFORMATIONAL_V1 request 1470134926 [ N(PLD_MAL) ]
[ENC] ignoring unprotected INFORMATIONAL from 31.169.105.210
[IKE] message verification failed
[IKE] ignore malformed INFORMATIONAL request
[IKE] INFORMATIONAL_V1 request with message ID 1470134926 processing failed


More information about the Users mailing list