I updated my system to Ubuntu 16.04 (linux 4.4.0-31-generic) and iproute2 4.5. With similar configuration, I got:
002 "routed-vpn" #1: initiating Main Mode 104 "routed-vpn" #1: STATE_MAIN_I1: initiate 003 "routed-vpn" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12 003 "routed-vpn" #1: received and ignored informational message 010 "routed-vpn" #1: STATE_MAIN_I1: retransmission; will wait 500ms for response ... 003 "routed-vpn" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12 003 "routed-vpn" #1: received and ignored informational message 031 "routed-vpn" #1: max number of retransmissions (8) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKEv1 message 000 "routed-vpn" #1: starting keying attempt 2 of at most 2, but releasing whack Ipsec status shows following: 000 "routed-vpn": 0.0.0.0/0===192.168.0.20 <192.168.0.20>...192.168.0.21<192.168.0.21>===0.0.0.0/0; unrouted; eroute owner: #0 000 "routed-vpn": oriented; my_ip=unset; their_ip=unset 000 "routed-vpn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "routed-vpn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset; 000 "routed-vpn": labeled_ipsec:no; 000 "routed-vpn": policy_label:unset; 000 "routed-vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2; 000 "routed-vpn": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "routed-vpn": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "routed-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "routed-vpn": conn_prio: 0,0; interface: ens35; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "routed-vpn": nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff; vti-iface:vti01; vti-routing:no; vti-shared:no; 000 "routed-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "routed-vpn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16) 000 "routed-vpn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)-MODP4096(16) 000 "routed-vpn": ESP algorithms wanted: AES(12)_128-SHA1(2) 000 "routed-vpn": ESP algorithms loaded: AES(12)_128-SHA1(2) Do you have any pointer what's wrong here? Thanks, Xinwei On Sat, Jul 9, 2016 at 1:06 AM, Paul Wouters <[email protected]> wrote: > On Fri, 8 Jul 2016, Xinwei Hong wrote: > > Is it possible to provide the exact requirements for this feature? which >> kernel version and which iproute2 version? We want to push this feature to >> our production and would need to do >> packaging ourselves. >> > > If I had known it, I would have told you. I just know the versions we > started testing with and those work for sure. > > Also, we currently use racoon+netkey to do policy-based vpn and >> pluto+klips to do route-based vpn. With this new feature, will we be able >> to do both with pluto+netkey? How to do >> policy-based VPN without racoon? >> > > Yes you should be able to do both. > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
