Hi Strongswan users, we like to setup a IPSec connection to a Telco Tec LiSS VPN Gateway. We test the VPN connection with a windows client (NCP). Here, the connection will be established immediately.
As we run our strongSwan client, the connection establishment runs into a timeout. 010 "liss" #3: STATE_MAIN_I1: retransmission; will wait 20s for response The pluto debug log shows no more information about this. The Windows Client and the strongSwan client uses the same certificate an connection settings (configfile beneath). We also capture the traffic of both connections establishments via tcpdump. With our strongSwan client, the VPN gateway will no answer to the first UDP packet from pluto. We examined the first packets of both clients. Here we saw a difference at the Payload (Vendor ID (13) of both packets. ** NCP client Type Payload: Vendor ID (13) : Unknown Vendor ID Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03 Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00 Type Payload: Vendor ID (13) : RFC 3947 Negotiation of NAT-Traversal in the IKE Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) Type Payload: Vendor ID (13) : Unknown Vendor ID Type Payload: Vendor ID (13) : Unknown Vendor ID Type Payload: Vendor ID (13) : Unknown Vendor ID Type Payload: Vendor ID (13) : Microsoft L2TP/IPSec VPN Client ** stronSwan client Type Payload: Vendor ID (13) : strongSwan Type Payload: Vendor ID (13) : XAUTH Type Payload: Vendor ID (13) : RFC 3706 DPD (Dead Peer Detection) Type Payload: Vendor ID (13) : RFC 3947 Negotiation of Traversal in the IKE Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-03 Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02 Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-02\n Type Payload: Vendor ID (13) : draft-ietf-ipsec-nat-t-ike-00 Beside the differences in "Unknown Vendor ID" and the "L2TP Client" the strongSwan packet conatains the XAUTH "Flag". May this be the problem of the gateway timeouts? How could we disable the XAUT at the first packet? Best regards, Martin Werthmoeller -- LWsystems GmbH & Co. KG ++ http://www.lw-systems.de/impressum Phone: +49 +5455 932132 ++ Fax: +49 +5455 932099 Your experts for Linux, Open Source and IT security. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LWsystems GmbH & Co. KG Headquaters: Tegelerweg 11, D-49186 Bad Iburg, Germany Phone +49 (0)5455 932132 fax +49 (0)5455 932099 register of commerce: Amtsgericht Osnabrück, hra 110668 VAT no. DE23852211 Managing Directors: Dipl.-Ing. Ansgar H. Licher, Bad Iburg, Germany Dipl.-Ing. Martin Werthmöller, Ibbenbüren, Germany For further company details please look at: http://www.lw-systems.de/impressum ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
