Hi Paul,
Here is the full log:
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: responding to
Main Mode from unknown peer 95.61.168.133:500
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: sent Main Mode
R1
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: sent Main Mode
R2
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: Peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133 #5: switched from
"tunnel8"[3] 95.61.168.133 to "tunnel8"
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[3] 95.61.168.133: deleting
connection instance with peer 95.61.168.133 {isakmp=#0/ipsec=#0}
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: Peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: IKE SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: Sending
Username/Password request (MAIN_R3->XAUTH_R0)
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH:
password file authentication method requested to authenticate user
'[email protected]'
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH:
password file (/etc/ipsec.d/passwd) open.
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: success
user([email protected]:(null))
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH: User
[email protected]: Authentication Successful
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: XAUTH:
xauth_inR1(STF_OK)
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: IKE SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 16:39:23 sol pluto[22331]: | pool 192.168.20.2-192.168.20.2: growing
address pool from 0 to 1
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5:
modecfg_inR0(STF_OK)
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: sent ModeCfg
reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: the peer
proposed: 0.0.0.0/0:0/0 -> 192.168.20.2/32:0/0
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: responding to
Quick Mode proposal {msgid:b5a1646d}
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: us:
0.0.0.0/0===92.211.123.17<92.211.123.17>[@xauth.remote.local,MS+XS+S=C]
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: them:
95.61.168.133[192.168.1.2,+MC+XC+S=C]===192.168.20.2/32
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: sent Quick
Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode
{ESPinUDP=>0x2f0ed8e8 <0xfb5da4b1 xfrm=AES_GCM_16_128-NONE NATOA=none
NATD=95.61.168.133:4500 DPD=active [email protected]}
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH
username changed from '' to 'asilvaptremote.local'
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH
username changed from '' to 'asilvaptremote.local'
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH
username changed from '' to 'asilvaptremote.local'
Jan 22 16:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: IPsec SA
established tunnel mode {ESPinUDP=>0x2f0ed8e8 <0xfb5da4b1
xfrm=AES_GCM_16_128-NONE NATOA=none NATD=95.61.168.133:4500 DPD=active
[email protected]}
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: initiating
IKEv1 Main Mode connection to replace #5
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: sent Main
Mode request, replacing #5
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: responding to
Main Mode from unknown peer 95.61.168.133:500
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: sent Main
Mode R1
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133: queuing pending
IPsec SA negotiating with 95.61.168.133 IKE SA #10 "tunnel8"[4] 95.61.168.133
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: sent Main
Mode R2
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: Peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: IKE SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH:
Sending Username/Password request (MAIN_R3->XAUTH_R0)
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH:
password file authentication method requested to authenticate user
'[email protected]'
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH:
password file (/etc/ipsec.d/passwd) open.
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH:
success user([email protected]:(null))
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH: User
[email protected]: Authentication Successful
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: XAUTH:
xauth_inR1(STF_OK)
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: IKE SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 17:34:53 sol pluto[22331]: | pool 192.168.20.2-192.168.20.2: growing
address pool from 0 to 1
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11:
modecfg_inR0(STF_OK)
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #11: sent ModeCfg
reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10:
STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: sent Main
Mode I2
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: sent Main
Mode I3
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: Peer ID is
ID_IPV4_ADDR: '192.168.1.2'
Jan 22 17:34:53 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: IKE SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Jan 22 17:34:54 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: XAUTH:
Sending Username/Password request (MAIN_I4->XAUTH_R0)
Jan 22 17:34:54 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: ignoring
informational payload CERTIFICATE_UNAVAILABLE, msgid=00000000, length=12
Jan 22 17:34:54 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: received and
ignored notification payload: CERTIFICATE_UNAVAILABLE
Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #5: deleting state
(STATE_MODE_CFG_R1) aged 3600.267468s and sending notification
Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: deleting state
(STATE_QUICK_R2) aged 3600.089548s and sending notification
Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: ESP traffic
information: in=14MB out=78MB [email protected]
Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #6: Warning: XAUTH
username changed from '' to 'asilvaptremote.local'
Jan 22 17:39:23 sol pluto[22331]: "tunnel8"[4] 95.61.168.133 #10: ignoring
Delete SA payload: PROTO_IPSEC_ESP SA(0x2f0ed8e8) not found (maybe expired)
Jan 22 17:39:23 sol pluto[22331]: ignoring found existing connection instance
"tunnel8"[4] 95.61.168.133 that covers kernel acquire with IKE state #10 and
IPsec state #0 - due to duplicate acquire?
Jan 22 17:39:54 sol pluto[22331]: existing bare shunt found - refusing to add a
duplicate
Jan 22 17:39:54 sol pluto[22331]: ignoring found existing connection instance
"tunnel8"[4] 95.61.168.133 that covers kernel acquire with IKE state #10 and
IPsec state #0 - due to duplicate acquire?
Jan 22 17:40:24 sol pluto[22331]: existing bare shunt found - refusing to add a
duplicate
Jan 22 17:40:24 sol pluto[22331]: ignoring found existing connection instance
"tunnel8"[4] 95.61.168.133 that covers kernel acquire with IKE state #10 and
IPsec state #0 - due to duplicate acquire?
Please let me know if you need more verbose in the logs.
Thanks.
--
Saludos / Regards / Cumprimentos
António Silva
> On 22 Jan 2021, at 14:41, Paul Wouters <[email protected]> wrote:
>
> This is a different issue I have not seen before. It seems there is confusion
> about state between kernel and pluto ?
>
> To say more, i would need to see the logs from a valid state going to this
> bad state.
>
> Paul
>
> Sent from my iPhone
>
>> On Jan 22, 2021, at 07:03, António Silva <[email protected]> wrote:
>>
>> Hi,
>>
>> I’m having the same issue, after upgrading the server side to version 4.1,
>> every hour the tunnel disconnects, restarting the client side only makes it
>> work again.
>>
>>
>> Here is the logs from the server side when the tunnel is reconnecting after
>> an 1h:
>>
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93:
>> initiating IKEv1 Main Mode connection to replace #89
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main
>> Mode request, replacing #89
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94:
>> responding to Main Mode from unknown peer 95.61.168.133:500
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent Main
>> Mode R1
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent Main
>> Mode R2
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133: queuing
>> pending IPsec SA negotiating with 95.61.168.133 IKE SA #93 "tunnel8"[10]
>> 95.61.168.133
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: Peer ID
>> is ID_IPV4_ADDR: '192.168.1.2'
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: IKE SA
>> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
>> group=MODP2048}
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH:
>> Sending Username/Password request (MAIN_R3->XAUTH_R0)
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH:
>> password file authentication method requested to authenticate user
>> '[email protected] <mailto:[email protected]>'
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH:
>> password file (/etc/ipsec.d/passwd) open.
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH:
>> success user([email protected] <mailto:[email protected]>:(null))
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH:
>> User [email protected] <mailto:[email protected]>: Authentication
>> Successful
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: XAUTH:
>> xauth_inR1(STF_OK)
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: IKE SA
>> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
>> group=MODP2048}
>> Jan 22 12:37:36 sol pluto[24350]: | pool 192.168.20.2-192.168.20.2: growing
>> address pool from 0 to 1
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94:
>> modecfg_inR0(STF_OK)
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #94: sent
>> ModeCfg reply, expecting Ack {auth=PRESHARED_KEY cipher=AES_CBC_256
>> integ=HMAC_SHA2_256 group=MODP2048}
>> Jan 22 12:37:36 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93:
>> STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main
>> Mode I2
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: sent Main
>> Mode I3
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: Peer ID
>> is ID_IPV4_ADDR: '192.168.1.2'
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: IKE SA
>> established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
>> group=MODP2048}
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: XAUTH:
>> Sending Username/Password request (MAIN_I4->XAUTH_R0)
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: ignoring
>> informational payload CERTIFICATE_UNAVAILABLE, msgid=00000000, length=12
>> Jan 22 12:37:37 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: received
>> and ignored notification payload: CERTIFICATE_UNAVAILABLE
>> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #89: deleting
>> state (STATE_MODE_CFG_R1) aged 3600.266987s and sending notification
>> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: deleting
>> state (STATE_QUICK_R2) aged 3600.089852s and sending notification
>> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: ESP
>> traffic information: in=11MB out=30MB [email protected]
>> <mailto:[email protected]>
>> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #90: Warning:
>> XAUTH username changed from '' to 'asilvaptremote.local'
>> Jan 22 12:42:06 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: ignoring
>> Delete SA payload: PROTO_IPSEC_ESP SA(0x3e9fbbf6) not found (maybe expired)
>> Jan 22 12:42:06 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:42:36 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:42:36 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:42:36 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:42:36 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:43:06 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:43:06 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:43:36 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:43:36 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:44:06 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:44:06 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:44:37 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:44:37 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:45:07 sol pluto[24350]: existing bare shunt found - refusing to
>> add a duplicate
>> Jan 22 12:45:07 sol pluto[24350]: ignoring found existing connection
>> instance "tunnel8"[10] 95.61.168.133 that covers kernel acquire with IKE
>> state #93 and IPsec state #0 - due to duplicate acquire?
>> Jan 22 12:45:12 sol pluto[24350]: "tunnel8"[10] 95.61.168.133 #93: received
>> Delete SA payload: self-deleting ISAKMP State #93
>>
>>
>>
>>
>> My configuration:
>> conn tunnel8-aggr
>> aggrmode=yes
>> also=tunnel8
>>
>> conn tunnel8
>> pfs=no
>> type=tunnel
>> auto=add
>> ikev2=no
>> phase2=esp
>> authby=secret
>> keyingtries=3
>> ikelifetime=24h
>> salifetime=1h
>> left=92.211.123.17
>> leftsubnet=0.0.0.0/0
>> [email protected] <mailto:[email protected]>
>> right=%any
>> rightid=%any
>> rightaddresspool=192.168.20.100-192.168.20.254
>> dpddelay=30
>> dpdtimeout=300
>> dpdaction=clear
>> leftxauthserver=yes
>> rightxauthclient=yes
>> leftmodecfgserver=yes
>> rightmodecfgclient=yes
>> modecfgpull=yes
>> fragmentation=yes
>> xauthby=file
>>
>>
>>
>>
>>
>>
>> --
>> Saludos / Regards / Cumprimentos
>> António Silva
>>
>>
>>
>>
>>> On 21 Jan 2021, at 20:01, Michael Schwartzkopff <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> On 21.01.21 20:53, Kontakt wrote:
>>>> Hello,
>>>> I have a problem. ipsec tunnel compiled on libreswan 4.1 (centos 8) for 1
>>>> client causes it to disconnect after 3600s. the same configuration on
>>>> libreswan 3.23 (centos 7) does not cause such problems. conf file,
>>>> password, iptables, entries in routing table identical.
>>>> I checked sysctl - identical. the only difference is selinux (centos 7 has
>>>> enforce, centos 8 disabled).
>>>>
>>>> libreswan 3.23 (centos 7):
>>>>
>>>> *ipsec verify*Verifying installed system and configuration files
>>>>
>>>> Version check and ipsec on-path [OK]
>>>> Libreswan 3.23 (netkey) on 3.10.0-862.3.2.el7.x86_64
>>>> Checking for IPsec support in kernel [OK]
>>>> NETKEY: Testing XFRM related proc values
>>>> ICMP default / send_redirects [NOT DISABLED]
>>>>
>>>> Disable / proc / sys / net / ipv4 / conf / * / send_redirects or NETKEY
>>>> will act on or cause sending of bogus ICMP redirects!
>>>>
>>>> ICMP default / accept_redirects [OK]
>>>> XFRM larval drop [OK]
>>>> Pluto ipsec.conf syntax [OK]
>>>> Two or more interfaces found, checking IP forwarding [OK]
>>>> Checking rp_filter [ENABLED]
>>>> / proc / sys / net / ipv4 / conf / all / rp_filter [ENABLED]
>>>> / proc / sys / net / ipv4 / conf / default / rp_filter [ENABLED]
>>>> / proc / sys / net / ipv4 / conf / em1 / rp_filter [ENABLED]
>>>> / proc / sys / net / ipv4 / conf / em2 / rp_filter [ENABLED]
>>>> / proc / sys / net / ipv4 / conf / ip_vti0 / rp_filter [ENABLED]
>>>> rp_filter is not fully aware of IPsec and should be disabled
>>>> Checking that pluto is running [OK]
>>>> Pluto listening for IKE on udp 500 [OK]
>>>> Pluto listening for IKE / NAT-T on udp 4500 [OK]
>>>> Pluto ipsec.secret syntax [OK]
>>>> Checking 'ip' command [OK]
>>>> Checking 'iptables' command [OK]
>>>> Checking 'prelink' command does not interfere with FIPS [OK]
>>>> Checking for obsolete ipsec.conf options [OK]
>>>>
>>>> ipsec verify: encountered 12 errors - see 'man ipsec_verify' for help
>>>>
>>>> *And for libreswan 4.1 (centos 8):*
>>>> * ipsec verify*
>>>>
>>>> Verifying installed system and configuration files
>>>>
>>>> Version check and ipsec on-path [OK]
>>>> Libreswan 4.1 (netkey) on 4.18.0-193.28.1.el8_2.x86_64
>>>> Checking for IPsec support in kernel [OK]
>>>> NETKEY: Testing XFRM related proc values
>>>> ICMP default / send_redirects [OK]
>>>> ICMP default / accept_redirects [OK]
>>>> XFRM larval drop [OK]
>>>> Pluto ipsec.conf syntax [OK]
>>>> Checking rp_filter [OK]
>>>> Checking that pluto is running [OK]
>>>> Pluto listening for IKE on udp 500 [OK]
>>>> Pluto listening for IKE / NAT-T on udp 4500 [OK]
>>>> Pluto ipsec.secret syntax [OK]
>>>> Checking 'ip' command [OK]
>>>> Checking 'iptables' command [OK]
>>>> Checking 'prelink' command does not interfere with FIPS [OK]
>>>> Checking for obsolete ipsec.conf options [OK]
>>>>
>>>> Where to look for the problem?
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Swan mailing list
>>>> [email protected] <mailto:[email protected]>
>>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>> <https://lists.libreswan.org/mailman/listinfo/swan>
>>>
>>>
>>> Logs? of both sides?
>>>
>>> Seems the child negotiation somehow fails. But the reason should be in the
>>> logs.
>>>
>>>
>>>
>>> Mit freundlichen Grüßen,
>>>
>>> --
>>>
>>> [*] sys4 AG
>>>
>>> https://sys4.de <https://sys4.de/>, +49 (89) 30 90 46 64
>>> Schleißheimer Straße 26/MG,80333 München
>>>
>>> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
>>> Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
>>> Aufsichtsratsvorsitzender: Florian Kirstein
>>> _______________________________________________
>>> Swan mailing list
>>> [email protected] <mailto:[email protected]>
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>> _______________________________________________
>> Swan mailing list
>> [email protected]
>> https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
