On Sat, 5 Aug 2017, Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES 
LIMITED at Cisco) wrote:

and...Tunnel does not get setup....

packet from 15.1.1.91:500: initial Main Mode message received on 
10.78.29.212:500 but no connection has been authorized with policy 
RSASIG+IKEV1_ALLOW

That means a misconfiguration. Something is not matching up between
server and that client.

As mentioned, this message is not observed when the numbers of virtual devices 
that is getting managed is 200. Tunnel connections are also fine in that case.

I don't entirely understand your "virtual devices"? Are you talking
about VTI devices?

Extract from ipsec conf file in Host 1-

conn snmp_15.1.1.91
    type=transport
    ike=aes256-sha1;modp2048
    phase2alg=aes256-sha1;modp2048
    authby=rsasig
    ike-frag=yes
    nat-ikev1-method=drafts
    auto=start
    keyingtries=%forever
    dpdaction=restart
    dpddelay=86400
    dpdtimeout=86400
# left side configuration
    leftid=%fromcert
    left=15.1.1.91
    leftprotoport=udp/161
    leftcert="user1"
    leftrsasigkey=%cert
    leftsendcert=always
#right configuration - PI
    rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com"
    right=10.78.29.212
    rightprotoport=udp
    rightrsasigkey=%cert
    rightsendcert=always

Note you should indent those # comment lines similarly to the other lines.

If you have the logs caused by the failing client it might reveal more.
Possbly, you can enable plutodebug= to get more details on what is
going on.

    forceencaps=yes

You are using transport mode and force encaps? That seems wrong. If
there NAT involved, you should use tunnel mode. If there is no NAT
involved you should not need forceencaps (unless your firewall
mistakenly blocks ESP, in which case you should just fix that instead)

Paul
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
  • ... Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco)
    • ... Paul Wouters

Reply via email to