On Sat, 5 Aug 2017, Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES
LIMITED at Cisco) wrote:
and...Tunnel does not get setup....
packet from 188.8.131.52:500: initial Main Mode message received on
10.78.29.212:500 but no connection has been authorized with policy
That means a misconfiguration. Something is not matching up between
server and that client.
As mentioned, this message is not observed when the numbers of virtual devices
that is getting managed is 200. Tunnel connections are also fine in that case.
I don't entirely understand your "virtual devices"? Are you talking
about VTI devices?
Extract from ipsec conf file in Host 1-
# left side configuration
#right configuration - PI
rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com"
Note you should indent those # comment lines similarly to the other lines.
If you have the logs caused by the failing client it might reveal more.
Possbly, you can enable plutodebug= to get more details on what is
You are using transport mode and force encaps? That seems wrong. If
there NAT involved, you should use tunnel mode. If there is no NAT
involved you should not need forceencaps (unless your firewall
mistakenly blocks ESP, in which case you should just fix that instead)
Swan mailing list