On Mon, 27 May 2019, Ian Dobson wrote:
I am running libreswan as a VPN (network-to-multiple clients) on a Centos
7 platform. It has been working successfully to connect with iOS client
using IKEV1 + XAUTH.
ok.
conn ikev2-rsa
type=tunnel
ikev2=insist
narrowing=yes
pfs=no
rekey=no
encapsulation=yes
fragmentation=yes
dpddelay=30
dpdtimeout=90
dpdaction=clear
left=144.132.45.114
leftrsasigkey=%cert
leftcert=vpn
leftsendcert=always
leftid=%fromcert
leftsubnet=0.0.0.0/0
right=%any
rightid=%fromcert
rightrsasigkey=%cert
rightca=%same
rightaddresspool=172.21.1.200-172.21.1.254
seems ok.
tcpdump -i eth3 -nn host 144.132.45.114:
listening on eth3, link-type EN10MB (Ethernet), capture size 65535 bytes
14:30:55.417934 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
parent_sa ikev2_init[I]
14:30:58.495733 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
parent_sa ikev2_init[I]
14:31:01.505931 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
parent_sa ikev2_init[I]
14:31:04.495418 IP 1.143.57.22.30035 > 144.132.45.114.500: isakmp:
parent_sa ikev2_init[I]
We cannot see much, other than it is showing an IKEv2 packet. We really
need the logfiles.
It seems that libreswan isn't responding at all to the first init packet.
Yeah.
I don't think it's a firewall or routing related issue, as libreswan is
quite happily negotiating an ikev1 connection over the same interface.
Makes sense.
There is nothing at all being output through syslog.
Any ideas where I should start looking for the problem?
Do you have a logfile= set in "config setup" in /etc/ipsec.conf ? Then
all logs will go to the file instead of syslog. If not, perhaps set
logfile=/var/log/pluto.log to gather the logs.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
