On Wed, Oct 17, 2012 at 10:23:49PM +0200, Mirko Parthey wrote: > On Wed, Oct 17, 2012 at 02:17:27PM -0400, CJ Fearnley wrote: > > On the netgear, I see > > 1970 Jan 2 22:33:25 [FVS336GV2] [IKE] Phase 1 negotiation failed due to > > time up > ^^^^^^^^^^^^^^^^^^^^^^ > Looks like the system time is wrong.
Eventually I noticed that too. Netgear suggests a firmware upgrade. That could be the problem there. But all the Netgears are failing. Including this one whose clock is working: 2012 Oct 17 16:45:22 [FVS336GV2] [IKE] ISAKMP-SA established for 50.192.114.17[500]-216.130.102.66[500] with spi:f632e20393b01283:f86a7548892e2c54_ it goes on to fail: 2012 Oct 17 16:45:22 [FVS336GV2] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_ 2012 Oct 17 16:45:23 [FVS336GV2] [IKE] Initiating new phase 2 negotiation: 50.192.114.17[0]<=>216.130.102.66[0]_ 2012 Oct 17 16:45:23 [FVS336GV2] [IKE] Unknown notify message from 216.130.102.66[500].No phase2 handle found._ 2012 Oct 17 16:45:26 [FVS336GV2] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=f632e20393b01283:f86a7548892e2c54._ 2012 Oct 17 16:46:23 [FVS336GV2] [IKE] Phase 2 negotiation failed due to time up. f632e20393b01283:f86a7548892e2c54:f1a6d664_ strongswan sees this: Oct 17 16:45:22 cw1 pluto[6976]: "sslvpn"[24] 50.192.114.17 #14: ignoring informational payload, type IPSEC_INITIAL_CONTACT Oct 17 16:45:23 cw1 pluto[6976]: "sslvpn"[24] 50.192.114.17 #14: cannot respond to IPsec SA request because no connection is known for 192.168.101.0/24===216.130.102.66[C=US, ST=IL, L=Glenwood, O=PRIVACY VPN Services, CN=cw1.private.com, [email protected]]...50.192.114.17[CN=Private]===192.168.112.0/24 Oct 17 16:45:23 cw1 pluto[6976]: "sslvpn"[24] 50.192.114.17 #14: sending encrypted notification INVALID_ID_INFORMATION to 50.192.114.17:500 These certs were working last week with openswan. What else can I try? My ipsec.conf is now like this: config setup charonstart=yes plutostart=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24 nat_traversal=yes conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 mobike=no keyexchange=ikev1 conn sslvpn left=216.130.102.66 leftid="C=US, ST=IL, L=Glenwood, O=Privacy VPN Services, CN=cw1.privacy.com, [email protected]" leftsendcert=always leftsubnet=192.168.101.0/24 leftcert=cw1.privacy.com.crt right=%any rekey=yes auto=add I also tried auto=start with similar errors. -- CJ Fearnley | LinuxForce Inc. [email protected] | IT Projects & Systems Maintenance http://www.LinuxForce.net | http://blog.remoteresponder.net _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
