Hi,
I've upgraded from 4.4.1 to 4.5.0 today to workaround the issue where a given
peer ID can't acquire multiple virtual IP addresses. However, my IKEv1
connections don't work anymore now. I did add keyexchange=ikev1 to make sure to
use pluto. I've attached my config below.
The tunnel is established but it seems there are some problems with routing. If
I ping my strongSwan gateway from the peer network, the gateway correctly
receives the ICMP packets (according to tcpdump on the gateway). However, the
replies don't seem to be sent back over the tunnel (I don't see any ICMP reply
with tcpdump on the gateway and the ping from the peer doesn't get any reply
either).
The only suspicious thing are the errors below which come from charon despite
the fact that the tunnel is established with pluto. Could this be related to
the change where pluto is now using netlink for setting up policies? Here are
the messages:
charon: 05[KNL] received an SADB_ACQUIRE with policy id 140489 but no matching
policy found
charon: 05[KNL] creating acquire job for policy 10.12.15.22/32 ===
27.21.27.40/32 with reqid {0}
charon: 03[CFG] trap not found, unable to acquire reqid 0
My ipsec.conf for that connection:
---
config setup
plutodebug=control
crlcheckinterval=180
strictcrlpolicy=no
charonstart=yes
plutostart=yes
nat_traversal=yes
conn %default
ikelifetime=3h
lifetime=3h
rekeymargin=3m
keyingtries=1
left=%defaultroute
[email protected]
leftsourceip=192.168.128.1
leftsubnet=192.168.128.0/17
leftcert=gw_cert.pem
leftfirewall=yes
rightfirewall=yes
conn sj-gw
keyexchange=ikev1
right=%any
leftsubnet=192.168.0.0/16
rightsubnet=192.168.0.0/16
[email protected]
auto=add
----
Any ideas what could be wrong? Is there some additional settings require for
4.5.0 now?
Thanks for the help!
Cheers,
Benoit.
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
