Here's everything I got Jun 5 18:44:32 x pluto[23543]: "tunnel-1" #686575: initiating Main Mode to replace #686529 Jun 5 18:44:32 x pluto[23543]: "tunnel-1" #686575: ignoring Vendor ID payload [FRAGMENTATION c0000000] Jun 5 18:44:42 x pluto[23543]: "tunnel-1" #686575: Informational Exchange message must be encrypted Jun 5 18:45:02 x pluto[23543]: "tunnel-1" #686575: Informational Exchange message must be encrypted Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686575: max number of retransmissions (2) reached STATE_MAIN_I2 Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686575: starting keying attempt 49 of an unlimited number Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686617: initiating Main Mode to replace #686575 Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686617: ignoring Vendor ID payload [FRAGMENTATION c0000000] Jun 5 18:45:52 x pluto[23543]: "tunnel-1" #686617: Informational Exchange message must be encrypted Jun 5 18:46:12 x pluto[23543]: "tunnel-1" #686617: Informational Exchange message must be encrypted Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686617: max number of retransmissions (2) reached STATE_MAIN_I2 Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686617: starting keying attempt 50 of an unlimited number Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686661: initiating Main Mode to replace #686617 Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686661: ignoring Vendor ID payload [FRAGMENTATION c0000000] Jun 5 18:47:02 x pluto[23543]: "tunnel-1" #686661: Informational Exchange message must be encrypted Jun 5 18:47:22 x pluto[23543]: "tunnel-1" #686661: Informational Exchange message must be encrypted
Continuously On Fri, Jun 5, 2015 at 7:44 PM, Randy Wyatt <[email protected]> wrote: > Can you post your logfile ? > > The difference in configurations is the wiki has authby=secret in the > default connection whereas you have it in the individual connection. > > Regards, > Randy > > On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <[email protected]> > wrote: > >> yes, true, they are for openswan, my bad. >> >> I do not have a hand on the other side. Can't tell >> >> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <[email protected]> >> wrote: >> >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA256 >>> >>> Hello Alexandre, >>> >>> These options don't exist: >>> leftxauthclient=no >>> rightxauthserver=no >>> You described using those in one of your last emails. >>> What is the config on the other side? >>> >>> Mit freundlichen Grüßen/Kind Regards, >>> Noel Kuntze >>> >>> GPG Key ID: 0x63EC6658 >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> >>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ: >>> > Randy, >>> > >>> > I'll change if there is no other possibilities. >>> > >>> > As for the link you gave me, thank you for it. I did a lot of digging >>> in the documentation I could read. So far, nothing seems to work. >>> > >>> > >>> > Noel, >>> > >>> > version 2.0 >>> > >>> > config setup >>> > charonstart=no >>> > interfaces="%none" >>> > nat_traversal=no >>> > >>> > conn clear >>> > auto=ignore >>> > >>> > conn clear-or-private >>> > auto=ignore >>> > >>> > conn private-or-clear >>> > auto=ignore >>> > >>> > conn private >>> > auto=ignore >>> > >>> > conn block >>> > auto=ignore >>> > >>> > conn packetdefault >>> > auto=ignore >>> > >>> > conn %default >>> > keyexchange=ikev1 >>> > >>> > conn tunnel-1 >>> > left=a.a.a.a >>> > right=b.b.b.b >>> > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> >>> > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> >>> > leftsourceip=a.a.a.a >>> > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >>> > ikelifetime=86400s >>> > dpddelay=15s >>> > dpdtimeout=30s >>> > dpdaction=restart >>> > esp=aes256-sha1! >>> > keylife=3600s >>> > rekeymargin=540s >>> > type=tunnel >>> > authby=secret >>> > pfs=no >>> > compress=no >>> > auto=start >>> > keyingtries=%forever >>> > >>> > >>> > Also, I didnt get the imaginary configuration option part ? >>> > >>> > Thanks >>> > >>> > >>> > >>> > >>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <[email protected] >>> <mailto:[email protected]>> wrote: >>> > >>> > >>> > Hello Alexandre, >>> > >>> > Please stop trying to use some imaginary configuration options and >>> stick to those >>> > on the man page of ipsec.conf. >>> > >>> > What is your complete ipsec.conf? Pay attention to conn %default, if >>> you have that, >>> > as it will beqeust its own options to _all_ other conns. >>> > >>> > >>> > >>> > Mit freundlichen Grüßen/Kind Regards, >>> > Noel Kuntze >>> > >>> > GPG Key ID: 0x63EC6658 >>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> > >>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ: >>> > > Hi Randy, >>> > >>> > > I forgot to mention, i'm using this version: >>> > >>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64 >>> > >>> > > Here is it : >>> > >>> > > conn tunnel-1 >>> > > left=a.a.a.a >>> > > right=b.b.b.b >>> > > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> < >>> http://10.252.243.128/28> >>> > > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> < >>> http://172.23.149.0/24> >>> > > leftsourceip=a.a.a.a >>> > > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >>> > > ikelifetime=86400s >>> > > dpddelay=15s >>> > > dpdtimeout=30s >>> > > dpdaction=restart >>> > > esp=aes256-sha1! >>> > > keylife=3600s >>> > > rekeymargin=540s >>> > > type=tunnel >>> > > authby=secret >>> > > pfs=no >>> > > compress=no >>> > > auto=start >>> > > keyingtries=%forever >>> > >>> > > I also tried to use >>> > >>> > > leftxauthclient=no >>> > > rightxauthserver=no >>> > >>> > > No changes. >>> > >>> > > Thanks >>> > >>> > >>> > >>> > >>> > >>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <[email protected] >>> <mailto:[email protected]> <mailto:[email protected] <mailto: >>> [email protected]>>> wrote: >>> > >>> > > Please send a sanitized version of your configuration. xauth >>> should only be sent if you configured it to be sent. >>> > >>> > > On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ < >>> [email protected] <mailto:[email protected]> <mailto: >>> [email protected] <mailto:[email protected]>>> wrote: >>> > >>> > > Hi, >>> > >>> > > I'm using strongswan only for L2L VPN. >>> > >>> > > It's been some times now, I can not be the initiator of the >>> VPN because strongswan is always sending an XAUTH option in the phase 1 >>> establishment. >>> > >>> > > When the other side is not configured to receive remote >>> user, it's working but when it is, I'm receiving L2TP/IPsec or some other >>> remote access vpn protocols. >>> > >>> > > I can not wait for the other side to send me trafic in order >>> to be the responder. I tried to recompile strongswan removing xauth, but >>> it's not working. >>> > >>> > > Is there any configuration command I can use to force >>> strongswan not to send XAUTH ? >>> > >>> > > Thanks >>> > >>> > > Alex >>> > >>> > >>> > >>> > >>> > >>> > >>> > > _______________________________________________ >>> > > Users mailing list >>> > > [email protected] <mailto: >>> [email protected]> <mailto:[email protected] <mailto: >>> [email protected]>> >>> > > https://lists.strongswan.org/mailman/listinfo/users >>> > >>> > >>> > >>> > >>> > > -- >>> > > Randy W. Wyatt >>> > > [email protected] <mailto:[email protected]> <mailto: >>> [email protected] <mailto:[email protected]>> >>> > > Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel: >>> 858-309-5303>> >>> > > Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel: >>> 858-598-4421>> >>> > > Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel: >>> 858-408-7554>> >>> > >>> > >>> > >>> > >>> > >>> > > _______________________________________________ >>> > > Users mailing list >>> > > [email protected] <mailto:[email protected]> >>> > > https://lists.strongswan.org/mailman/listinfo/users >>> > >>> > >>> > _______________________________________________ >>> > Users mailing list >>> > [email protected] <mailto:[email protected]> >>> > https://lists.strongswan.org/mailman/listinfo/users >>> > >>> > >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v2 >>> >>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8 >>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy >>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg >>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4 >>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj >>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX >>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG >>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x >>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92 >>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW >>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu >>> 7n7QSIDcWhrXQdAOhVuV >>> =RpI6 >>> -----END PGP SIGNATURE----- >>> >>> >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > > > > -- > Randy W. Wyatt > [email protected] > Home: 858-309-5303 > Cell: 858-598-4421 > Fax: 858-408-7554 >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
