Increase your loglevel so we can see the initial messages of the connection. We need to see all the ISAKMP exchange messages.
On Fri, Jun 5, 2015 at 10:48 AM, Alexandre DEPREZ <[email protected]> wrote: > Here's everything I got > > Jun 5 18:44:32 x pluto[23543]: "tunnel-1" #686575: initiating Main Mode > to replace #686529 > Jun 5 18:44:32 x pluto[23543]: "tunnel-1" #686575: ignoring Vendor ID > payload [FRAGMENTATION c0000000] > Jun 5 18:44:42 x pluto[23543]: "tunnel-1" #686575: Informational Exchange > message must be encrypted > Jun 5 18:45:02 x pluto[23543]: "tunnel-1" #686575: Informational Exchange > message must be encrypted > Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686575: max number of > retransmissions (2) reached STATE_MAIN_I2 > Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686575: starting keying > attempt 49 of an unlimited number > Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686617: initiating Main Mode > to replace #686575 > Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686617: ignoring Vendor ID > payload [FRAGMENTATION c0000000] > Jun 5 18:45:52 x pluto[23543]: "tunnel-1" #686617: Informational Exchange > message must be encrypted > Jun 5 18:46:12 x pluto[23543]: "tunnel-1" #686617: Informational Exchange > message must be encrypted > Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686617: max number of > retransmissions (2) reached STATE_MAIN_I2 > Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686617: starting keying > attempt 50 of an unlimited number > Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686661: initiating Main Mode > to replace #686617 > Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686661: ignoring Vendor ID > payload [FRAGMENTATION c0000000] > Jun 5 18:47:02 x pluto[23543]: "tunnel-1" #686661: Informational Exchange > message must be encrypted > Jun 5 18:47:22 x pluto[23543]: "tunnel-1" #686661: Informational Exchange > message must be encrypted > > > Continuously > > > > On Fri, Jun 5, 2015 at 7:44 PM, Randy Wyatt <[email protected]> wrote: > >> Can you post your logfile ? >> >> The difference in configurations is the wiki has authby=secret in the >> default connection whereas you have it in the individual connection. >> >> Regards, >> Randy >> >> On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <[email protected]> >> wrote: >> >>> yes, true, they are for openswan, my bad. >>> >>> I do not have a hand on the other side. Can't tell >>> >>> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <[email protected]> >>> wrote: >>> >>>> >>>> -----BEGIN PGP SIGNED MESSAGE----- >>>> Hash: SHA256 >>>> >>>> Hello Alexandre, >>>> >>>> These options don't exist: >>>> leftxauthclient=no >>>> rightxauthserver=no >>>> You described using those in one of your last emails. >>>> What is the config on the other side? >>>> >>>> Mit freundlichen Grüßen/Kind Regards, >>>> Noel Kuntze >>>> >>>> GPG Key ID: 0x63EC6658 >>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>> >>>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ: >>>> > Randy, >>>> > >>>> > I'll change if there is no other possibilities. >>>> > >>>> > As for the link you gave me, thank you for it. I did a lot of digging >>>> in the documentation I could read. So far, nothing seems to work. >>>> > >>>> > >>>> > Noel, >>>> > >>>> > version 2.0 >>>> > >>>> > config setup >>>> > charonstart=no >>>> > interfaces="%none" >>>> > nat_traversal=no >>>> > >>>> > conn clear >>>> > auto=ignore >>>> > >>>> > conn clear-or-private >>>> > auto=ignore >>>> > >>>> > conn private-or-clear >>>> > auto=ignore >>>> > >>>> > conn private >>>> > auto=ignore >>>> > >>>> > conn block >>>> > auto=ignore >>>> > >>>> > conn packetdefault >>>> > auto=ignore >>>> > >>>> > conn %default >>>> > keyexchange=ikev1 >>>> > >>>> > conn tunnel-1 >>>> > left=a.a.a.a >>>> > right=b.b.b.b >>>> > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> >>>> > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> >>>> > leftsourceip=a.a.a.a >>>> > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >>>> > ikelifetime=86400s >>>> > dpddelay=15s >>>> > dpdtimeout=30s >>>> > dpdaction=restart >>>> > esp=aes256-sha1! >>>> > keylife=3600s >>>> > rekeymargin=540s >>>> > type=tunnel >>>> > authby=secret >>>> > pfs=no >>>> > compress=no >>>> > auto=start >>>> > keyingtries=%forever >>>> > >>>> > >>>> > Also, I didnt get the imaginary configuration option part ? >>>> > >>>> > Thanks >>>> > >>>> > >>>> > >>>> > >>>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> > >>>> > >>>> > Hello Alexandre, >>>> > >>>> > Please stop trying to use some imaginary configuration options and >>>> stick to those >>>> > on the man page of ipsec.conf. >>>> > >>>> > What is your complete ipsec.conf? Pay attention to conn %default, if >>>> you have that, >>>> > as it will beqeust its own options to _all_ other conns. >>>> > >>>> > >>>> > >>>> > Mit freundlichen Grüßen/Kind Regards, >>>> > Noel Kuntze >>>> > >>>> > GPG Key ID: 0x63EC6658 >>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>> > >>>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ: >>>> > > Hi Randy, >>>> > >>>> > > I forgot to mention, i'm using this version: >>>> > >>>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64 >>>> > >>>> > > Here is it : >>>> > >>>> > > conn tunnel-1 >>>> > > left=a.a.a.a >>>> > > right=b.b.b.b >>>> > > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> < >>>> http://10.252.243.128/28> >>>> > > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> < >>>> http://172.23.149.0/24> >>>> > > leftsourceip=a.a.a.a >>>> > > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >>>> > > ikelifetime=86400s >>>> > > dpddelay=15s >>>> > > dpdtimeout=30s >>>> > > dpdaction=restart >>>> > > esp=aes256-sha1! >>>> > > keylife=3600s >>>> > > rekeymargin=540s >>>> > > type=tunnel >>>> > > authby=secret >>>> > > pfs=no >>>> > > compress=no >>>> > > auto=start >>>> > > keyingtries=%forever >>>> > >>>> > > I also tried to use >>>> > >>>> > > leftxauthclient=no >>>> > > rightxauthserver=no >>>> > >>>> > > No changes. >>>> > >>>> > > Thanks >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <[email protected] >>>> <mailto:[email protected]> <mailto:[email protected] <mailto: >>>> [email protected]>>> wrote: >>>> > >>>> > > Please send a sanitized version of your configuration. xauth >>>> should only be sent if you configured it to be sent. >>>> > >>>> > > On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ < >>>> [email protected] <mailto:[email protected]> <mailto: >>>> [email protected] <mailto:[email protected]>>> wrote: >>>> > >>>> > > Hi, >>>> > >>>> > > I'm using strongswan only for L2L VPN. >>>> > >>>> > > It's been some times now, I can not be the initiator of the >>>> VPN because strongswan is always sending an XAUTH option in the phase 1 >>>> establishment. >>>> > >>>> > > When the other side is not configured to receive remote >>>> user, it's working but when it is, I'm receiving L2TP/IPsec or some other >>>> remote access vpn protocols. >>>> > >>>> > > I can not wait for the other side to send me trafic in >>>> order to be the responder. I tried to recompile strongswan removing xauth, >>>> but it's not working. >>>> > >>>> > > Is there any configuration command I can use to force >>>> strongswan not to send XAUTH ? >>>> > >>>> > > Thanks >>>> > >>>> > > Alex >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > > _______________________________________________ >>>> > > Users mailing list >>>> > > [email protected] <mailto: >>>> [email protected]> <mailto:[email protected] <mailto: >>>> [email protected]>> >>>> > > https://lists.strongswan.org/mailman/listinfo/users >>>> > >>>> > >>>> > >>>> > >>>> > > -- >>>> > > Randy W. Wyatt >>>> > > [email protected] <mailto:[email protected]> <mailto: >>>> [email protected] <mailto:[email protected]>> >>>> > > Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel: >>>> 858-309-5303>> >>>> > > Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel: >>>> 858-598-4421>> >>>> > > Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel: >>>> 858-408-7554>> >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > > _______________________________________________ >>>> > > Users mailing list >>>> > > [email protected] <mailto:[email protected]> >>>> > > https://lists.strongswan.org/mailman/listinfo/users >>>> > >>>> > >>>> > _______________________________________________ >>>> > Users mailing list >>>> > [email protected] <mailto:[email protected]> >>>> > https://lists.strongswan.org/mailman/listinfo/users >>>> > >>>> > >>>> >>>> -----BEGIN PGP SIGNATURE----- >>>> Version: GnuPG v2 >>>> >>>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8 >>>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy >>>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg >>>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4 >>>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj >>>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX >>>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG >>>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x >>>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92 >>>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW >>>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu >>>> 7n7QSIDcWhrXQdAOhVuV >>>> =RpI6 >>>> -----END PGP SIGNATURE----- >>>> >>>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >>> >> >> >> >> -- >> Randy W. Wyatt >> [email protected] >> Home: 858-309-5303 >> Cell: 858-598-4421 >> Fax: 858-408-7554 >> > > -- Randy W. Wyatt [email protected] Home: 858-309-5303 Cell: 858-598-4421 Fax: 858-408-7554
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
