[Swan] Problems converting from OpenSWAN to LibreSWAN

Nels Lindquist nlindq at maei.ca
Thu May 8 01:04:41 EEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 5/7/2014 2:32 PM, Paul Wouters wrote:
> On Wed, 7 May 2014, Nels Lindquist wrote:
> 
>>> May  7 07:57:10 mail pluto[28834]: | sending IKE fragment id
>>> '1', number '1'
>>> 
>>> Can you try with both ike_frag=force and ike_frag=no ?
>> 
>> With ike_frag=force we get additional lines (discarding
>> duplicate packet; already STATE_MAIN_R2); with ike_frag=no the
>> behaviour is the same as before.  Would you like "plutodebug=all"
>> logs for either or both of these settings?
> 
> Hmm. I don't think that will help as it is the other end that is 
> unhappy. Have you tried this with another device, eg an iphone in
> L2TP mode or something? Just as reference?

I've only tested with other Windows devices.  In production that's all
we're using for clients connecting from outside.  Our current main VPN
gateway is still OpenSWAN, with a bunch of clients (Windows 7 mostly,
but a couple of legacy XP) successfully connecting.

>> May  7 13:45:04 mail pluto[14792]: "L2TP-Win2KXP"[1] 209.82.26.89
>> #6: discarding duplicate packet; already STATE_MAIN_R2
> 
> Is there a way to get the ipsec logs from the Windows machine to
> find out what it is complaining about?
> 
> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_ipsec_tools.mspx?mfr=true

I'll
> 
have to work more on this.  So far I've enabled IKE logging in
the Advanced Firewall, but the only message I get is:

An IPsec main mode negotiation failed.
Failure Reason:	New policy invalidated SAs formed with old policy

I think I'm going to have to delve into enabling the Oakly logs, which
apparently involve downloading XP programs to Windows 7, etc.  I'll
have to tackle that tomorrow.

Thanks for everyone's help so far!


- -- 
Nels Lindquist
<nlindq at maei.ca>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlNqrfcACgkQh6z5POoOLgReHACeMKWQmRWNeD804J9Ph2QCxSjC
JDUAn00rgSh1wu3yatBaFVqwSVfvYkoU
=vPPE
-----END PGP SIGNATURE-----

More information about the Swan mailing list