[Swan] Tunnel Going Down

Banana Man bananasgorilla16 at gmail.com
Fri Oct 21 20:53:21 UTC 2016 

Probably I should have laid out my whole issue, but like I said I was
trying to keep it simple. Let me further complicate things - in all my
other tunnels I have used ike, not ikev2. I often need to connect to
multiple addresses on the remote side, and generally just make a new
connection for each address. Mostly I'm connecting to Cisco endpoints. That
has always worked fine in the past.

With this connection there are actually two tunnel configurations to the
same endpoint. I have figured out that when one connection is restarted, it
kills the other one. (It took me a while to figure this out because for one
I can ping the remote side and have a script monitoring it, but the other
one doesn't respond to pings so it's not ever being automatically
restarted.) Since figuring this out I have tried to simply change the
configuration so that I can just use one configuration, but if I change the
"rightsubnet=123.45.67.198/255.255.255.255" entry to "rightsubnet=
123.45.67.198/255.255.255.224" and try to connect I get yet another error:

134 "demo" #19333: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2
cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048}
003 "demo" #19333: missing payload(s)
(ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2TSi+ISAKMP_NEXT_v2TSr). Message dropped.
207 "demo" #19333: STATE_PARENT_I2: v2N_INVALID_SYNTAX

Do you think that the other side will need to change their configuration to
support this or am I just doing something really stupid? Is any of this
tied to IKEv2? If it would help I'd try going back to IKE if I can get the
other end to agree.

Thanks!
Bananas


On Fri, Oct 21, 2016 at 1:10 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Fri, 21 Oct 2016, Banana Man wrote:
>
> I didn't want to confuse things, but I'm actually using a NAT with this
>> tunnel (as well as
>> several others on this machine). So left= is a different value (my
>> machine's real IP) than
>> leftsubnet= and leftsourceip=, which are the NAT address. So I think I
>> need to set both of
>> those. I have always used 255.255.255.255 in the subnet settings to
>> restrict to the single
>> IP, is this not advisable? I only want access to the machine I'm starting
>> the tunnel on,
>> not the whole subnet.
>>
>
> Ok, if leftsubnet is an IP different from left that is fine. That did
> not show in your posted config. If you are behind NAT, ensure you have
> the shorter ikelifetime= so you are always the end rekeying first.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161021/addb2c47/attachment.html>

More information about the Swan mailing list