Hi, Just to complete the thread, the IP of my strongswan machine was going through a NAT process on the way to the peer, the source IP was changed and being understood as a remote client by the peer.
no bug so far On Fri, Jun 5, 2015 at 8:32 PM, Randy Wyatt <[email protected]> wrote: > Increase your loglevel so we can see the initial messages of the > connection. We need to see all the ISAKMP exchange messages. > > On Fri, Jun 5, 2015 at 10:48 AM, Alexandre DEPREZ <[email protected]> > wrote: > >> Here's everything I got >> >> Jun 5 18:44:32 x pluto[23543]: "tunnel-1" #686575: initiating Main Mode >> to replace #686529 >> Jun 5 18:44:32 x pluto[23543]: "tunnel-1" #686575: ignoring Vendor ID >> payload [FRAGMENTATION c0000000] >> Jun 5 18:44:42 x pluto[23543]: "tunnel-1" #686575: Informational >> Exchange message must be encrypted >> Jun 5 18:45:02 x pluto[23543]: "tunnel-1" #686575: Informational >> Exchange message must be encrypted >> Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686575: max number of >> retransmissions (2) reached STATE_MAIN_I2 >> Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686575: starting keying >> attempt 49 of an unlimited number >> Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686617: initiating Main Mode >> to replace #686575 >> Jun 5 18:45:42 x pluto[23543]: "tunnel-1" #686617: ignoring Vendor ID >> payload [FRAGMENTATION c0000000] >> Jun 5 18:45:52 x pluto[23543]: "tunnel-1" #686617: Informational >> Exchange message must be encrypted >> Jun 5 18:46:12 x pluto[23543]: "tunnel-1" #686617: Informational >> Exchange message must be encrypted >> Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686617: max number of >> retransmissions (2) reached STATE_MAIN_I2 >> Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686617: starting keying >> attempt 50 of an unlimited number >> Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686661: initiating Main Mode >> to replace #686617 >> Jun 5 18:46:52 x pluto[23543]: "tunnel-1" #686661: ignoring Vendor ID >> payload [FRAGMENTATION c0000000] >> Jun 5 18:47:02 x pluto[23543]: "tunnel-1" #686661: Informational >> Exchange message must be encrypted >> Jun 5 18:47:22 x pluto[23543]: "tunnel-1" #686661: Informational >> Exchange message must be encrypted >> >> >> Continuously >> >> >> >> On Fri, Jun 5, 2015 at 7:44 PM, Randy Wyatt <[email protected]> wrote: >> >>> Can you post your logfile ? >>> >>> The difference in configurations is the wiki has authby=secret in the >>> default connection whereas you have it in the individual connection. >>> >>> Regards, >>> Randy >>> >>> On Fri, Jun 5, 2015 at 10:39 AM, Alexandre DEPREZ <[email protected]> >>> wrote: >>> >>>> yes, true, they are for openswan, my bad. >>>> >>>> I do not have a hand on the other side. Can't tell >>>> >>>> On Fri, Jun 5, 2015 at 7:35 PM, Noel Kuntze <[email protected]> >>>> wrote: >>>> >>>>> >>>>> -----BEGIN PGP SIGNED MESSAGE----- >>>>> Hash: SHA256 >>>>> >>>>> Hello Alexandre, >>>>> >>>>> These options don't exist: >>>>> leftxauthclient=no >>>>> rightxauthserver=no >>>>> You described using those in one of your last emails. >>>>> What is the config on the other side? >>>>> >>>>> Mit freundlichen Grüßen/Kind Regards, >>>>> Noel Kuntze >>>>> >>>>> GPG Key ID: 0x63EC6658 >>>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>>> >>>>> Am 05.06.2015 um 19:29 schrieb Alexandre DEPREZ: >>>>> > Randy, >>>>> > >>>>> > I'll change if there is no other possibilities. >>>>> > >>>>> > As for the link you gave me, thank you for it. I did a lot of >>>>> digging in the documentation I could read. So far, nothing seems to work. >>>>> > >>>>> > >>>>> > Noel, >>>>> > >>>>> > version 2.0 >>>>> > >>>>> > config setup >>>>> > charonstart=no >>>>> > interfaces="%none" >>>>> > nat_traversal=no >>>>> > >>>>> > conn clear >>>>> > auto=ignore >>>>> > >>>>> > conn clear-or-private >>>>> > auto=ignore >>>>> > >>>>> > conn private-or-clear >>>>> > auto=ignore >>>>> > >>>>> > conn private >>>>> > auto=ignore >>>>> > >>>>> > conn block >>>>> > auto=ignore >>>>> > >>>>> > conn packetdefault >>>>> > auto=ignore >>>>> > >>>>> > conn %default >>>>> > keyexchange=ikev1 >>>>> > >>>>> > conn tunnel-1 >>>>> > left=a.a.a.a >>>>> > right=b.b.b.b >>>>> > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> >>>>> > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> >>>>> > leftsourceip=a.a.a.a >>>>> > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >>>>> > ikelifetime=86400s >>>>> > dpddelay=15s >>>>> > dpdtimeout=30s >>>>> > dpdaction=restart >>>>> > esp=aes256-sha1! >>>>> > keylife=3600s >>>>> > rekeymargin=540s >>>>> > type=tunnel >>>>> > authby=secret >>>>> > pfs=no >>>>> > compress=no >>>>> > auto=start >>>>> > keyingtries=%forever >>>>> > >>>>> > >>>>> > Also, I didnt get the imaginary configuration option part ? >>>>> > >>>>> > Thanks >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > On Fri, Jun 5, 2015 at 7:20 PM, Noel Kuntze <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> > >>>>> > >>>>> > Hello Alexandre, >>>>> > >>>>> > Please stop trying to use some imaginary configuration options and >>>>> stick to those >>>>> > on the man page of ipsec.conf. >>>>> > >>>>> > What is your complete ipsec.conf? Pay attention to conn %default, if >>>>> you have that, >>>>> > as it will beqeust its own options to _all_ other conns. >>>>> > >>>>> > >>>>> > >>>>> > Mit freundlichen Grüßen/Kind Regards, >>>>> > Noel Kuntze >>>>> > >>>>> > GPG Key ID: 0x63EC6658 >>>>> > Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>>>> > >>>>> > Am 05.06.2015 um 19:07 schrieb Alexandre DEPREZ: >>>>> > > Hi Randy, >>>>> > >>>>> > > I forgot to mention, i'm using this version: >>>>> > >>>>> > > Linux strongSwan U4.5.2/K3.2.0-4-amd64 >>>>> > >>>>> > > Here is it : >>>>> > >>>>> > > conn tunnel-1 >>>>> > > left=a.a.a.a >>>>> > > right=b.b.b.b >>>>> > > leftsubnet=10.252.243.128/28 <http://10.252.243.128/28> < >>>>> http://10.252.243.128/28> >>>>> > > rightsubnet=172.23.149.0/24 <http://172.23.149.0/24> < >>>>> http://172.23.149.0/24> >>>>> > > leftsourceip=a.a.a.a >>>>> > > ike=aes256-sha1-modp1024,aes128-sha1-modp1024! >>>>> > > ikelifetime=86400s >>>>> > > dpddelay=15s >>>>> > > dpdtimeout=30s >>>>> > > dpdaction=restart >>>>> > > esp=aes256-sha1! >>>>> > > keylife=3600s >>>>> > > rekeymargin=540s >>>>> > > type=tunnel >>>>> > > authby=secret >>>>> > > pfs=no >>>>> > > compress=no >>>>> > > auto=start >>>>> > > keyingtries=%forever >>>>> > >>>>> > > I also tried to use >>>>> > >>>>> > > leftxauthclient=no >>>>> > > rightxauthserver=no >>>>> > >>>>> > > No changes. >>>>> > >>>>> > > Thanks >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > > On Fri, Jun 5, 2015 at 7:02 PM, Randy Wyatt <[email protected] >>>>> <mailto:[email protected]> <mailto:[email protected] <mailto: >>>>> [email protected]>>> wrote: >>>>> > >>>>> > > Please send a sanitized version of your configuration. xauth >>>>> should only be sent if you configured it to be sent. >>>>> > >>>>> > > On Fri, Jun 5, 2015 at 9:09 AM, Alexandre DEPREZ < >>>>> [email protected] <mailto:[email protected]> <mailto: >>>>> [email protected] <mailto:[email protected]>>> wrote: >>>>> > >>>>> > > Hi, >>>>> > >>>>> > > I'm using strongswan only for L2L VPN. >>>>> > >>>>> > > It's been some times now, I can not be the initiator of >>>>> the VPN because strongswan is always sending an XAUTH option in the phase >>>>> 1 >>>>> establishment. >>>>> > >>>>> > > When the other side is not configured to receive remote >>>>> user, it's working but when it is, I'm receiving L2TP/IPsec or some other >>>>> remote access vpn protocols. >>>>> > >>>>> > > I can not wait for the other side to send me trafic in >>>>> order to be the responder. I tried to recompile strongswan removing xauth, >>>>> but it's not working. >>>>> > >>>>> > > Is there any configuration command I can use to force >>>>> strongswan not to send XAUTH ? >>>>> > >>>>> > > Thanks >>>>> > >>>>> > > Alex >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > > _______________________________________________ >>>>> > > Users mailing list >>>>> > > [email protected] <mailto: >>>>> [email protected]> <mailto:[email protected] >>>>> <mailto:[email protected]>> >>>>> > > https://lists.strongswan.org/mailman/listinfo/users >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > > -- >>>>> > > Randy W. Wyatt >>>>> > > [email protected] <mailto:[email protected]> <mailto: >>>>> [email protected] <mailto:[email protected]>> >>>>> > > Home: 858-309-5303 <tel:858-309-5303> <tel:858-309-5303 <tel: >>>>> 858-309-5303>> >>>>> > > Cell: 858-598-4421 <tel:858-598-4421> <tel:858-598-4421 <tel: >>>>> 858-598-4421>> >>>>> > > Fax: 858-408-7554 <tel:858-408-7554> <tel:858-408-7554 <tel: >>>>> 858-408-7554>> >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > > _______________________________________________ >>>>> > > Users mailing list >>>>> > > [email protected] <mailto:[email protected]> >>>>> > > https://lists.strongswan.org/mailman/listinfo/users >>>>> > >>>>> > >>>>> > _______________________________________________ >>>>> > Users mailing list >>>>> > [email protected] <mailto:[email protected]> >>>>> > https://lists.strongswan.org/mailman/listinfo/users >>>>> > >>>>> > >>>>> >>>>> -----BEGIN PGP SIGNATURE----- >>>>> Version: GnuPG v2 >>>>> >>>>> iQIcBAEBCAAGBQJVcd3FAAoJEDg5KY9j7GZYL74P/j6DkBsYDrRHMnz/GXRf3Zp8 >>>>> nh4lP69UwtikWftw0LZFtpXJCrARa/4R3bX7E7vEGnwW5Gt0aTtx4PJEPGffS+Oy >>>>> KfDdcivIZhVL8GAGb6USYbpygcvzb1syoGOHj+6GTOVgTykHJr4eLxtCnIpNBXcg >>>>> fJexVxkZX6ETI13zXXh9Ysis1B14BSustWAxODuSJf3BbTvjMB+1rdpWsKnx3xR4 >>>>> sIVagIAdLeRoShFfCNj37JzfcwufKGqJ8OiyZrkIFR8Xv3JW1BaBMymTyWzy+aGj >>>>> WpBXlrLrXhYTftwYZ+CcjxmJMNUs+i+bP3dYZlZFKFyIxlG6WyhHYwd4s5IjzAaX >>>>> 6Sh6G7lpJLSSDcT+Wkvi06sLUvf+j8hT1cDyJUwVQkpcQGc6ibqZuAvDE+R+hGHG >>>>> 7l4qJri2HU6xOlUmNju+lbkGlQnKkdbqLwIC6WNXD1nvRWBnYgYsUVEzhfdliO2x >>>>> +OK8c/RSQAwDTiBi0BkZe1vP1uQ++w7/cB2ydEuHTPNbN37JDYByPop0oB9WRz92 >>>>> 4VsfhJ2ZgVptAPi9AEnLWak7ziIJljdFykokpm0Ee4YFfZEEJm8kZjryzcULYTFW >>>>> fF9Zgnl6pKOYH5BIzEX0wbkcDkFImtXN3CqjTHmjZraC2RFxkL+DnsjlM8bs9jmu >>>>> 7n7QSIDcWhrXQdAOhVuV >>>>> =RpI6 >>>>> -----END PGP SIGNATURE----- >>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Users mailing list >>>> [email protected] >>>> https://lists.strongswan.org/mailman/listinfo/users >>>> >>> >>> >>> >>> -- >>> Randy W. Wyatt >>> [email protected] >>> Home: 858-309-5303 >>> Cell: 858-598-4421 >>> Fax: 858-408-7554 >>> >> >> > > > -- > Randy W. Wyatt > [email protected] > Home: 858-309-5303 > Cell: 858-598-4421 > Fax: 858-408-7554 >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
