On Tue, 10 Dec 2019, Peter Rofner wrote:
Dec 10 07:04:14 [pluto] "Richmond_Home" #1: initiating v2 parent SA
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: IKE SA authentication request
rejected by peer: AUTHENTICATION_FAILED
Do you have a log of the peer for this? Only that end knows why it
rejected this.
Here's what I see on the peer end at that point:
----
Dec 10 17:03:27 [pluto] "Richmond_Home" #2: ERROR: asynchronous network error
report on eno2 (sport=500) for message to x.x.x.x port 500, complainant
x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
Dec 10 17:03:28 [pluto] "Richmond_Home" #2: STATE_PARENT_I1: retransmission;
will wait 0.5 seconds for response
----
That does not make sense. You must be looking at the wrong logs?
The IKEv2 negotiation goes:
IKE_SA_INIT request ----->
<----- IKE_SA_INIT reply
IKE_AUTH request ----->
<----- IKE_AUTH reply
Your first log shows you sent IKE_SA_INIT request, got reply. Send
IKE_AUTH request and got a reply with AUTHENTICATION_FAILED
The second log shows it is not responder to anything, but initiating
its own IKE_SA_INIT request, and a firewall or gateway fails it or
the remote IP is not the right one.
There might be two things going on at the same time, but then you didnt
match up the attempts when you looked up the logs.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
