Hi, > 10[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > 10[IKE] no IKE config found for 37.247.54.124...38.109.218.26, sending > NO_PROPOSAL_CHOSEN > 10[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
> left=%defaultroute > right=37.247.54.124 Can you confirm that your %defaultroute is over 38.109.218.26? You may try to use %any if you meant that, which should be much less problematic in matching. > leftsourceip=10.7.1.11 > rightsourceip=10.7.1.10 What's your intention with setting both left/rightsourceip? With IKEv2 (and also with IKEv1 since 5.x), left/rightsourceip get assigned (and newly installed) to the peer using configuration payloads; does not make that much sense in this scenario, and certainly doesn't work for both ends. charon automatically picks a source address for installed routes in the appropriate subnet. This is perfectly fine for most setups. If it is not, you might consider disabling automatic route installation and use fixed routes or the updown script to install custom routes. > 12[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] > 12[IKE] received AUTHENTICATION_FAILED notify error > 06[IKE] sending retransmit 1 of request message ID 0, seq 1 > 06[NET] sending packet: from 37.247.54.124[500] to 87.117.195.92[500] (220 > bytes) Not sure how that AUTH_FAILED is related. That retransmission is for a different configuration? > Is this is related to the NO_PROPOSAL_CHOSEN line ? NO_PROPOSAL_CHOSEN is sent because the peer addresses don't match your configuration, see above. > 03[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) > N(MULT_AUTH) ] > indicate charon thinks NAT is in play, as it isn't at either end No, these payloads are used to check if there is any NAT situation, not after one has been detected. Regards Martin _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users