On Sat, 5 Aug 2017, Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco) wrote:
and...Tunnel does not get setup.... packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW
That means a misconfiguration. Something is not matching up between server and that client.
As mentioned, this message is not observed when the numbers of virtual devices that is getting managed is 200. Tunnel connections are also fine in that case.
I don't entirely understand your "virtual devices"? Are you talking about VTI devices?
Extract from ipsec conf file in Host 1- conn snmp_15.1.1.91 type=transport ike=aes256-sha1;modp2048 phase2alg=aes256-sha1;modp2048 authby=rsasig ike-frag=yes nat-ikev1-method=drafts auto=start keyingtries=%forever dpdaction=restart dpddelay=86400 dpdtimeout=86400 # left side configuration leftid=%fromcert left=15.1.1.91 leftprotoport=udp/161 leftcert="user1" leftrsasigkey=%cert leftsendcert=always #right configuration - PI rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com" right=10.78.29.212 rightprotoport=udp rightrsasigkey=%cert rightsendcert=always
Note you should indent those # comment lines similarly to the other lines. If you have the logs caused by the failing client it might reveal more. Possbly, you can enable plutodebug= to get more details on what is going on.
forceencaps=yes
You are using transport mode and force encaps? That seems wrong. If there NAT involved, you should use tunnel mode. If there is no NAT involved you should not need forceencaps (unless your firewall mistakenly blocks ESP, in which case you should just fix that instead) Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
