Hi, I'm currentl switching from openswan for strongswan. My VPN connection worked perfectly with openswan, but I have no luck with strongswan. The connection gets stuck in between the IKE phase (complete log attached):
13[ENC] generating ID_PROT request 0 [ ID SIG CERTREQ ]_ 13[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_ 14[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_ 14[IKE] received retransmit of response with ID 0, but next request already sent_ Some more "received retransmit" follow. It seems the VPN router (Draytek Vigor) is responding to the second ID_PROT request with the same response as for the first. My ipsec.conf is also attached. Any ideas? Cheers, Thorsten -- Dr.-Ing. Thorsten Meinl room: Z813 Nycomed Chair for Bioinformatics fax: +49 (0)7531 88-5132 and Information Mining phone: +49 (0)7531 88-5016 Box 712, 78457 Konstanz, Germany
Mar 13 17:30:40 [charon] 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux 3.0.35-tuxonice, x86_64)_ Mar 13 17:30:40 [charon] 00[KNL] received netlink error: Address family not supported by protocol (97)_ Mar 13 17:30:40 [charon] 00[KNL] unable to create IPv6 routing table rule_ Mar 13 17:30:40 [charon] 00[NET] could not open socket: Address family not supported by protocol_ Mar 13 17:30:40 [charon] 00[NET] could not open IPv6 socket, IPv6 disabled_ Mar 13 17:30:40 [charon] 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'_ Mar 13 17:30:40 [charon] 00[CFG] loaded ca certificate "C=CH, ST=Zurich, O=KNIME.com AG, CN=KNIME.com Certificate Authority" from '/etc/ipsec.d/cacerts/knime-com.pem'_ Mar 13 17:30:40 [charon] 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'_ Mar 13 17:30:40 [charon] 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'_ Mar 13 17:30:40 [charon] 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'_ Mar 13 17:30:40 [charon] 00[CFG] loading crls from '/etc/ipsec.d/crls'_ Mar 13 17:30:40 [charon] 00[CFG] loading secrets from '/etc/ipsec.secrets'_ Mar 13 17:30:40 [charon] 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/knime-vpn.pem'_ Mar 13 17:30:40 [charon] 00[DMN] loaded plugins: charon aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic_ Mar 13 17:30:40 [charon] 00[LIB] dropped capabilities, running as uid 0, gid 0_ Mar 13 17:30:40 [charon] 00[JOB] spawning 16 worker threads_ Mar 13 17:30:40 [ipsec_starter] charon (10586) started after 20 ms_ Mar 13 17:30:40 [charon] 09[CFG] received stroke: add connection 'zurich'_ Mar 13 17:30:40 [charon] 09[CFG] left nor right host is our side, assuming left=local_ Mar 13 17:30:40 [charon] 09[CFG] loaded certificate "C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=Thorsten Meinl, [email protected]" from 'knime-vpn.pem'_ Mar 13 17:30:40 [charon] 09[CFG] loaded certificate "C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=KNIME.com VPN Router" from 'knime-router.pem'_ Mar 13 17:30:40 [charon] 09[CFG] added configuration 'zurich'_ Mar 13 17:30:40 [charon] 11[CFG] received stroke: initiate 'zurich'_ Mar 13 17:30:40 [charon] 11[IKE] initiating Main Mode IKE_SA zurich[1] to 212.126.160.54_ - Last output repeated twice - Mar 13 17:30:40 [charon] 11[ENC] generating ID_PROT request 0 [ SA V V V V ]_ Mar 13 17:30:40 [charon] 11[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (224 bytes)_ Mar 13 17:30:40 [charon] 12[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (124 bytes)_ Mar 13 17:30:40 [charon] 12[ENC] parsed ID_PROT response 0 [ SA V V ]_ Mar 13 17:30:40 [charon] 12[IKE] received DPD vendor ID_ Mar 13 17:30:40 [charon] 12[IKE] received NAT-T (RFC 3947) vendor ID_ Mar 13 17:30:40 [charon] 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]_ Mar 13 17:30:40 [charon] 12[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (372 bytes)_ Mar 13 17:30:40 [charon] 13[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_ Mar 13 17:30:40 [charon] 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]_ Mar 13 17:30:40 [charon] 13[IKE] sending cert request for "C=CH, ST=Zurich, O=KNIME.com AG, CN=KNIME.com Certificate Authority"_ Mar 13 17:30:40 [charon] 13[IKE] authentication of 'C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=Thorsten Meinl, [email protected]' (myself) successful_ Mar 13 17:30:40 [charon] 13[ENC] generating ID_PROT request 0 [ ID SIG CERTREQ ]_ Mar 13 17:30:40 [charon] 13[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_ Mar 13 17:30:43 [charon] 14[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_ Mar 13 17:30:43 [charon] 14[IKE] received retransmit of response with ID 0, but next request already sent_ Mar 13 17:30:44 [charon] 08[IKE] sending retransmit 1 of request message ID 0, seq 3_ Mar 13 17:30:44 [charon] 08[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_ Mar 13 17:30:49 [charon] 09[NET] received packet: from 212.126.160.54[500] to 134.34.224.42[500] (356 bytes)_ Mar 13 17:30:49 [charon] 09[IKE] received retransmit of response with ID 0, but next request already sent_ Mar 13 17:30:52 [charon] 10[IKE] sending retransmit 2 of request message ID 0, seq 3_ Mar 13 17:30:52 [charon] 10[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_ Mar 13 17:31:05 [charon] 11[IKE] sending retransmit 3 of request message ID 0, seq 3_ Mar 13 17:31:05 [charon] 11[NET] sending packet: from 134.34.224.42[500] to 212.126.160.54[500] (412 bytes)_
# ipsec.conf - strongSwan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
conn zurich
authby=rsasig
type=tunnel
keyexchange=ikev1
# left=%any
leftid="C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=Thorsten Meinl,
[email protected]"
leftauth=pubkey
leftfirewall=yes
# leftrsasigkey=%cert
leftcert=knime-vpn.pem
right=212.126.160.54
rightid="C=CH, ST=Zurich, L=Zurich, O=KNIME.com AG, CN=KNIME.com VPN
Router"
rightauth=pubkey
rightcert=knime-router.pem
rightsubnet=172.17.17.0/24
auto=start
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
