[Swan] ipsec tunnel connections not setup for over 200 connections

Paul Wouters paul at nohats.ca
Tue Aug 8 16:04:01 UTC 2017


On Sat, 5 Aug 2017, Balaji Meenakshisundaram -X (bameenak - HCL TECHNOLOGIES LIMITED at Cisco) wrote:

> and...Tunnel does not get setup....
> 
> packet from 15.1.1.91:500: initial Main Mode message received on 10.78.29.212:500 but no connection has been authorized with policy RSASIG+IKEV1_ALLOW

That means a misconfiguration. Something is not matching up between
server and that client.

> As mentioned, this message is not observed when the numbers of virtual devices that is getting managed is 200. Tunnel connections are also fine in that case.

I don't entirely understand your "virtual devices"? Are you talking
about VTI devices?

> Extract from ipsec conf file in Host 1-
> 
> conn snmp_15.1.1.91
>     type=transport
>     ike=aes256-sha1;modp2048
>     phase2alg=aes256-sha1;modp2048
>     authby=rsasig
>     ike-frag=yes
>     nat-ikev1-method=drafts
>     auto=start
>     keyingtries=%forever
>     dpdaction=restart
>     dpddelay=86400
>     dpdtimeout=86400
> # left side configuration
>     leftid=%fromcert
>     left=15.1.1.91
>     leftprotoport=udp/161
>     leftcert="user1"
>     leftrsasigkey=%cert
>     leftsendcert=always
> #right configuration - PI
>     rightid="C=in, ST=nd, L=noi, O=abc, OU=def, CN=host2.company.com"
>     right=10.78.29.212
>     rightprotoport=udp
>     rightrsasigkey=%cert
>     rightsendcert=always

Note you should indent those # comment lines similarly to the other lines.

If you have the logs caused by the failing client it might reveal more.
Possbly, you can enable plutodebug= to get more details on what is
going on.

>     forceencaps=yes

You are using transport mode and force encaps? That seems wrong. If
there NAT involved, you should use tunnel mode. If there is no NAT
involved you should not need forceencaps (unless your firewall
mistakenly blocks ESP, in which case you should just fix that instead)

Paul


More information about the Swan mailing list