I have seen but there are no messages from firewall The (most) strange thing is the following: end 1 (openswan klips 2.6.4, debian, kernel 2.6.17.11) talks ok to end 3 (openswan klips U2.4.12/K2.4.9, debian, kernel 2.6.18.5) end 1 (openswan klips 2.6.4, debian, kernel 2.6.17.11) doesn't talk to end 2 (libreswan klips 3.12, debian, kernel 3.16.0-4-686-pae) end 2 (libreswan klips 3.12, debian, kernel 3.16.0-4-686-pae) talks ok to end 3 (openswan klips U2.4.12/K2.4.9, debian, kernel 2.6.18.5) Firewalls (shorewall) have no particular restrictions. Also I tried nat_traversal=yes in end 2 obtaining the identical results above.
I am thinking seriously to upgrade every server to libreswan klips 3.12, debian, kernel 3.16.0-4-686-pae... -----Messaggio originale----- Da: Paul Wouters [mailto:[email protected]] Inviato: venerdi 10 aprile 2015 17.01 A: Antonio Scattolini Cc: Wolfgang Nothdurft; <[email protected]> Oggetto: Re: R: R: [Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, KEY_LENGTH attribute That's good! Probably now look into NAT and firewall and forwarding rules. Sent from my iPhone > On Apr 10, 2015, at 05:52, Antonio Scattolini <[email protected]> wrote: > > Now I have on end 1: > #30: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 > #30: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG > cipher=aes_256 prf=oakley_sha group=modp2048} > On end 2: > #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 > #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode > {ESP=>0x50d40191 <0x8f441b9e xfrm=AES_128-HMAC_SHA1 IPCOMP=>0x00005999 > <0x00008760 NATOA=none NATD=none DPD=passive} > > But still no luck... > Antonio > > -----Messaggio originale----- > Da: Paul Wouters [mailto:[email protected]] > Inviato: giovedi 9 aprile 2015 22.13 > A: Antonio Scattolini > Cc: 'Wolfgang Nothdurft'; [email protected] > Oggetto: Re: R: [Swan] R: R: BAD_PROPOSAL_SYNTAX, PAYLOAD_MALFORMED, > KEY_LENGTH attribute > > >> On Thu, 9 Apr 2015, Antonio Scattolini wrote: >> >> Instead, if I put: >> esp=aes256-sha1;modp1024 >> both peers have ISAKMP SA established and IPSec SA established and also > both >> stuck in STATE_QUICK_I2; no ping from host in lan of end 1 to host in lan > of >> end 2 and viceversa... > > you cannot be both established and in STATE_QUICK_I2? > > You can try aes128 instead? > > Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
