Anyone have any ideas? Sent from my iPhone
> On Dec 31, 2013, at 3:58 PM, "Chris Arnold" <[email protected]> > wrote: > > Stongswan 4.4.x on SLES11 SP2. A windows 7 client using ikev2 is trying to > connect using rclients config from ipsec.conf. They get a invalid payload > received from the windows 7 client. Here is the exchange from windows 7 to > strongswan server: > > received packet: from 98.26.22x.xx[500] to 192.168.1.18[500] > 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > 07[IKE] 98.26.22x.xx is initiating an IKE_SA > 07[IKE] local host is behind NAT, sending keep alives > 07[IKE] remote host is behind NAT > 07[IKE] sending cert request for "C=US, ST=NC, L=Durham, O=Edens Land Corp, > OU=ELC, CN=name, E=email address" > 07[IKE] sending cert request for "C=US, ST=North Carolina, L=Durham, O=Edens > Land Corp, OU=ELC, CN=name, E=email address" > 07[IKE] sending cert request for "C=CH, O=Edens Land Corp, CN=Edens Land Corp > CA" > 07[IKE] sending cert request for "C=FI, O=Test, CN=Test CA" > 07[IKE] sending cert request for "C=CH, O=Edens Land Corp. CN=ELC RW VPN" > 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) > N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] > 07[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500] > 03[NET] received packet: from 98.26.22x.xx[4500] to 192.168.1.18[4500] > 03[ENC] not enough input to parse rule 10 ENCRYPTED_DATA > 03[ENC] payload type ENCRYPTED could not be parsed > 03[IKE] message parsing failed > 03[ENC] generating IKE_AUTH response 1 [ N(INVAL_SYN) ] > 03[NET] sending packet: from 192.168.1.18[500] to 98.26.22x.xx[500] > 03[IKE] IKE_AUTH request with message ID 1 processing failed > > Here is the ipsec config: > conn rclientscerts > rekey=no > left=%any > leftauth=pubkey > leftcert=server_cert.crt > [email protected] > leftsubnet=0.0.0.0/0 > right=%any > rightsourceip=192.168.2.0/24 > #rightauth=eap-mschapv2 > #rightsendcert=never > #eap_identity=%any > mobike=yes > auto=add > > This use to work until we moved offices and got a new public ip. The above > leftid reflects the new public ip. I just thought about something, the CN in > the cert, does it need to reflect the new public ip? Not sure if that would > matter.... > We have a site to site VPN with this same office and that works fine. Any > ideas? > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
