[strongSwan] Establishing IKE_SA failed, peer not responding

Marcelo Oscar Olcese marcelo.olcese at gmail.com
Wed Jul 14 13:23:37 CEST 2021


Good morning dear from Argentine!!!



I'm just starting out in VPNs with StrongSwan, can you give me a hand?



I have 2 servers with Debian, I am trying to connect a VPN with a provider.
In one server I have succeeded (Debian 8),but not in the other(Debian 9). I
have the same settings on both.

It could be an IPTABLES issue but I also started the server without
IPTABLES and the same, it does not connect.



Below I leave my logs.



Thanks for your help!!



I am doing NAT and POSTROUTING.



*IPSEC.CONF*

# ipsec.conf - strongSwan IPsec configuration file



# basic configuration



config setup

                # strictcrlpolicy=yes

                # uniqueids = no





conn %default

        ikelifetime=1440m

        keylife=60m

        rekeymargin=3m

        keyingtries=1

        keyexchange=ikev1

        authby=secret



conn ciscoios

        left=190.XXX.XXX.XXX

        leftsubnet=200.XXX.XXX.XXX/24       #red.

        leftid=190.XXX.XXX.XXX                #IKEID strongswan

                leftfirewall=yes

        right=200.69.XXX.XXX                 #peer cisco

        rightsubnet=192.168.77.0/24       # redes del otro lado (ver conn
ios2 y 3)

        rightid=200.69.XXX.XXX               #IKEID del peer

        auto=start

        ike=3des-sha1-modp1024           #Phase1

        esp=3des-sha1                   #Phase2

        type=tunnel



conn ciscoios2

        also=ciscoios

        rightsubnet=10.XXX.XXX.XXX/24



conn ciscoios3

        also=ciscoios

        rightsubnet=192.XXX.XXX.0/24



include /var/lib/strongswan/ipsec.conf.inc



*Syslog:*

Jul 13 10:15:39 Debian charon: 02[ENC]   not enough input to parse rule 2
U_INT_8

Jul 13 10:15:39 Debian charon: 02[ENC] header could not be parsed Jul 13
10:15:39 Debian charon: 02[NET] received invalid IKE header from
209.141.47.78 - ignored Jul 13 10:29:20 Debian charon: 00[DMN] signal of
type SIGINT received. Shutting down Jul 13 10:29:42 Debian charon: 00[DMN]
Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-16-amd64, x86_64)
Jul 13 10:29:42 Debian charon: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'

Jul 13 10:29:42 Debian charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'

Jul 13 10:29:42 Debian charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'

Jul 13 10:29:42 Debian charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'

Jul 13 10:29:42 Debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Jul 13 10:29:42 Debian charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'

Jul 13 10:29:42 Debian charon: 00[CFG] loading secrets from
'/var/lib/strongswan/ipsec.secrets.inc'

Jul 13 10:29:42 Debian charon: 00[CFG]   loaded IKE secret for
190.xxx.xxx.xxx 200.xxx.xxx.xxx

Jul 13 10:29:42 Debian charon: 00[LIB] loaded plugins: charon aes rc2 sha2
sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown Jul 13
10:29:42 Debian charon: 00[LIB] dropped capabilities, running as uid 0, gid
0 Jul 13 10:29:42 Debian charon: 00[JOB] spawning 16 worker threads Jul 13
10:29:42 Debian charon: 06[CFG] received stroke: add connection 'ciscoios'

Jul 13 10:29:42 Debian charon: 06[CFG] added configuration 'ciscoios'

Jul 13 10:29:42 Debian charon: 08[CFG] received stroke: initiate 'ciscoios'

Jul 13 10:29:42 Debian charon: 08[IKE] initiating Main Mode IKE_SA
ciscoios[1] to 200.xxx.xxx.xxx Jul 13 10:29:42 Debian charon: 08[ENC]
generating ID_PROT request 0 [ SA V V V V V ] Jul 13 10:29:42 Debian
charon: 08[NET] sending packet: from 190.xxx.xxx.xxx[500] to
200.xxx.xxx.xxx[500] (248 bytes) Jul 13 10:29:42 Debian charon: 10[CFG]
received stroke: add connection 'ciscoios2'

Jul 13 10:29:42 Debian charon: 10[CFG] added child to existing
configuration 'ciscoios'

Jul 13 10:29:42 Debian charon: 12[CFG] received stroke: initiate 'ciscoios2'

Jul 13 10:29:42 Debian charon: 13[CFG] received stroke: add connection
'ciscoios3'

Jul 13 10:29:42 Debian charon: 13[CFG] added child to existing
configuration 'ciscoios'

Jul 13 10:29:42 Debian charon: 15[CFG] received stroke: initiate 'ciscoios3'

Jul 13 10:29:42 Debian charon: 05[NET] received packet: from
200.xxx.xxx.xxx[500] to 190.xxx.xxx.xxx[500] (104 bytes) Jul 13 10:29:42
Debian charon: 05[ENC] parsed ID_PROT response 0 [ SA V ] Jul 13 10:29:42
Debian charon: 05[IKE] received NAT-T (RFC 3947) vendor ID Jul 13 10:29:42
Debian charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 13 10:29:42 Debian charon: 05[NET] sending packet: from
190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (244 bytes) Jul 13 10:29:42
Debian charon: 06[NET] received packet: from 200.xxx.xxx.xxx[500] to
190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:29:42 Debian charon: 06[ENC]
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] Jul 13 10:29:42
Debian charon: 06[IKE] received Cisco Unity vendor ID Jul 13 10:29:42
Debian charon: 06[IKE] received DPD vendor ID Jul 13 10:29:42 Debian
charon: 06[ENC] received unknown vendor ID:
54:c4:40:ec:e4:7c:5d:c2:41:f8:1b:fe:31:84:05:f4

Jul 13 10:29:42 Debian charon: 06[IKE] received XAuth vendor ID Jul 13
10:29:42 Debian charon: 06[ENC] generating ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ] Jul 13 10:29:42 Debian charon: 06[NET] sending packet:
from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13
10:29:43 Debian charon: 07[NET] received packet: from 200.xxx.xxx.xxx[500]
to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:29:43 Debian charon: 07[IKE]
received retransmit of response with ID 0, but next request already sent
Jul 13 10:29:46 Debian charon: 10[IKE] sending retransmit 1 of request
message ID 0, seq 3 Jul 13 10:29:46 Debian charon: 10[NET] sending packet:
from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13
10:29:47 Debian charon: 11[NET] received packet: from 200.xxx.xxx.xxx[500]
to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:29:47 Debian charon: 11[IKE]
received retransmit of response with ID 0, but next request already sent
Jul 13 10:29:53 Debian charon: 12[IKE] sending retransmit 2 of request
message ID 0, seq 3 Jul 13 10:29:53 Debian charon: 12[NET] sending packet:
from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13
10:29:54 Debian charon: 04[NET] received packet: from 200.xxx.xxx.xxx[500]
to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:29:54 Debian charon: 04[IKE]
received retransmit of response with ID 0, but next request already sent
Jul 13 10:30:04 Debian charon: 13[NET] received packet: from
200.xxx.xxx.xxx[500] to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:30:04
Debian charon: 13[IKE] received retransmit of response with ID 0, but next
request already sent Jul 13 10:30:05 Debian charon: 00[DMN] signal of type
SIGINT received. Shutting down Jul 13 10:30:05 Debian charon: 00[IKE]
destroying IKE_SA in state CONNECTING without notification Jul 13 10:30:10
Debian charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux
4.9.0-16-amd64, x86_64) Jul 13 10:30:10 Debian charon: 00[CFG] loading ca
certificates from '/etc/ipsec.d/cacerts'

Jul 13 10:30:10 Debian charon: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'

Jul 13 10:30:10 Debian charon: 00[CFG] loading ocsp signer certificates
from '/etc/ipsec.d/ocspcerts'

Jul 13 10:30:10 Debian charon: 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'

Jul 13 10:30:10 Debian charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'

Jul 13 10:30:10 Debian charon: 00[CFG] loading secrets from
'/etc/ipsec.secrets'

Jul 13 10:30:10 Debian charon: 00[CFG] loading secrets from
'/var/lib/strongswan/ipsec.secrets.inc'

Jul 13 10:30:10 Debian charon: 00[CFG]   loaded IKE secret for
190.xxx.xxx.xxx 200.xxx.xxx.xxx

Jul 13 10:30:10 Debian charon: 00[LIB] loaded plugins: charon aes rc2 sha2
sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown Jul 13
10:30:10 Debian charon: 00[LIB] dropped capabilities, running as uid 0, gid
0 Jul 13 10:30:10 Debian charon: 00[JOB] spawning 16 worker threads Jul 13
10:30:10 Debian charon: 06[CFG] received stroke: add connection 'ciscoios'

Jul 13 10:30:10 Debian charon: 06[CFG] added configuration 'ciscoios'

Jul 13 10:30:10 Debian charon: 07[CFG] received stroke: initiate 'ciscoios'

Jul 13 10:30:10 Debian charon: 07[IKE] initiating Main Mode IKE_SA
ciscoios[1] to 200.xxx.xxx.xxx Jul 13 10:30:10 Debian charon: 07[ENC]
generating ID_PROT request 0 [ SA V V V V V ] Jul 13 10:30:10 Debian
charon: 07[NET] sending packet: from 190.xxx.xxx.xxx[500] to
200.xxx.xxx.xxx[500] (248 bytes) Jul 13 10:30:10 Debian charon: 10[CFG]
received stroke: add connection 'ciscoios2'

Jul 13 10:30:10 Debian charon: 10[CFG] added child to existing
configuration 'ciscoios'

Jul 13 10:30:10 Debian charon: 04[CFG] received stroke: initiate 'ciscoios2'

Jul 13 10:30:10 Debian charon: 14[CFG] received stroke: add connection
'ciscoios3'

Jul 13 10:30:10 Debian charon: 14[CFG] added child to existing
configuration 'ciscoios'

Jul 13 10:30:10 Debian charon: 15[CFG] received stroke: initiate 'ciscoios3'

Jul 13 10:30:10 Debian charon: 05[NET] received packet: from
200.xxx.xxx.xxx[500] to 190.xxx.xxx.xxx[500] (104 bytes) Jul 13 10:30:10
Debian charon: 05[ENC] parsed ID_PROT response 0 [ SA V ] Jul 13 10:30:10
Debian charon: 05[IKE] received NAT-T (RFC 3947) vendor ID Jul 13 10:30:10
Debian charon: 05[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 13 10:30:10 Debian charon: 05[NET] sending packet: from
190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (244 bytes) Jul 13 10:30:10
Debian charon: 06[NET] received packet: from 200.xxx.xxx.xxx[500] to
190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:30:10 Debian charon: 06[ENC]
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] Jul 13 10:30:10
Debian charon: 06[IKE] received Cisco Unity vendor ID Jul 13 10:30:10
Debian charon: 06[IKE] received DPD vendor ID Jul 13 10:30:10 Debian
charon: 06[ENC] received unknown vendor ID:
54:c4:40:ec:b3:18:0f:dc:5c:59:04:92:33:f7:c2:83

Jul 13 10:30:10 Debian charon: 06[IKE] received XAuth vendor ID Jul 13
10:30:10 Debian charon: 06[ENC] generating ID_PROT request 0 [ ID HASH
N(INITIAL_CONTACT) ] Jul 13 10:30:10 Debian charon: 06[NET] sending packet:
from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13
10:30:11 Debian charon: 07[NET] received packet: from 200.xxx.xxx.xxx[500]
to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:30:11 Debian charon: 07[IKE]
received retransmit of response with ID 0, but next request already sent
Jul 13 10:30:14 Debian charon: 10[IKE] sending retransmit 1 of request
message ID 0, seq 3 Jul 13 10:30:14 Debian charon: 10[NET] sending packet:
from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13
10:30:15 Debian charon: 11[NET] received packet: from 200.xxx.xxx.xxx[500]
to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:30:15 Debian charon: 11[IKE]
received retransmit of response with ID 0, but next request already sent
Jul 13 10:30:22 Debian charon: 04[IKE] sending retransmit 2 of request
message ID 0, seq 3 Jul 13 10:30:22 Debian charon: 04[NET] sending packet:
from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13
10:30:22 Debian charon: 13[NET] received packet: from 200.xxx.xxx.xxx[500]
to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:30:22 Debian charon: 13[IKE]
received retransmit of response with ID 0, but next request already sent
Jul 13 10:30:32 Debian charon: 14[NET] received packet: from
200.xxx.xxx.xxx[500] to 190.xxx.xxx.xxx[500] (304 bytes) Jul 13 10:30:32
Debian charon: 14[IKE] received retransmit of response with ID 0, but next
request already sent Jul 13 10:30:35 Debian charon: 12[IKE] sending
retransmit 3 of request message ID 0, seq 3 Jul 13 10:30:35 Debian charon:
12[NET] sending packet: from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500]
(100 bytes) Jul 13 10:30:58 Debian charon: 15[IKE] sending retransmit 4 of
request message ID 0, seq 3 Jul 13 10:30:58 Debian charon: 15[NET] sending
packet: from 190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul
13 10:31:40 Debian charon: 05[IKE] sending retransmit 5 of request message
ID 0, seq 3 Jul 13 10:31:40 Debian charon: 05[NET] sending packet: from
190.xxx.xxx.xxx[500] to 200.xxx.xxx.xxx[500] (100 bytes) Jul 13 10:32:56
Debian charon: 06[IKE] giving up after 5 retransmits Jul 13 10:32:56 Debian
charon: 06[IKE] establishing IKE_SA failed, peer not responding



*Ports: (nmap)*

tarting Nmap 7.40 ( https://nmap.org ) at 2021-07-13 11:28 -03 Nmap scan
report for localhost (127.0.0.1) Host is up (0.000022s latency).

Other addresses for localhost (not scanned): ::1 Not shown: 996 closed ports

PORT      STATE         SERVICE

111/udp   open          rpcbind

500/udp   open          isakmp

4500/udp  open|filtered nat-t-ike

10000/udp open          ndmp



Thanks,

Marcelo.-
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210714/f7f07db5/attachment-0001.html>


More information about the Users mailing list