[Swan] Tunnel Going Down

Paul Wouters paul at nohats.ca
Sat Oct 22 01:00:16 UTC 2016

On Fri, 21 Oct 2016, Banana Man wrote:

> Probably I should have laid out my whole issue, but like I said I was trying to keep it simple. Let me further complicate things - in all my other tunnels I have used ike, not ikev2. I
> often need to connect to multiple addresses on the remote side, and generally just make a new connection for each address. Mostly I'm connecting to Cisco endpoints. That has always
> worked fine in the past.
> With this connection there are actually two tunnel configurations to the same endpoint. I have figured out that when one connection is restarted, it kills the other one. (It took me a

You can try the config setup option uniqueids=no which will prevent the
delete on libreswan's end. But I'm not sure how the remote end will
behave. Be sure not to have initial-contact=yes or else they might
kill the old one.

> 134 "demo" #19333: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128 integ=sha1_96 prf=sha group=MODP2048}
> 003 "demo" #19333: missing payload(s) (ISAKMP_NEXT_v2SA+ISAKMP_NEXT_v2TSi+ISAKMP_NEXT_v2TSr). Message dropped.
> 207 "demo" #19333: STATE_PARENT_I2: v2N_INVALID_SYNTAX

the payloads are missing because they send back a notify of invalid
syntax. So they didn't like that exchange. It is a very unusual error


More information about the Swan mailing list