[Swan] Help needed: STATE_MAIN_I3: 60 second timeout exceeded after 7 retransmits. Possible authentication failure: no acceptable response to our first encrypted message
Paul Wouters
paul at nohats.ca
Wed Apr 17 10:38:57 UTC 2019
You are using IKEv1, so check RFC 2409 :)
It could also be a large packet size issue if you are using certificates - try enabling fragmentation=yes
Sent from mobile device
> On Apr 17, 2019, at 11:49, Mathieu Rossignol <mathieu.rossignol at hurence.com> wrote:
>
> Ok that's noted thx.
>
> BTW do you have an idea what the STATE_MAIN_I3 state i'm stuck is? I guess it's the state where you send your PSK key and are waiting for the other part to authenticate it, but I could not find any doc on this. The IKEv2 RFC does not mention that neither, nor the libreswan doc (https://libreswan.org/wiki/Pluto_internals). Would be great to have somewhere the mapping between internal libreswan states/state machine and the IKE PDUs spec or something. This would may be give a clue of what's happening. Even better in my case would potentially be a more explicit message...don't know....
>
>> On 4/17/19 11:37 AM, Tuomo Soini wrote:
>> On Wed, 17 Apr 2019 11:21:42 +0200
>> Mathieu Rossignol <mathieu.rossignol at hurence.com> wrote:
>>
>>> Hi Tuomo,
>>>
>>> Thank you very much for your answer.
>>>
>>> My last setence was malformed (I meant 'like if the key was invalid')
>>> and in fact I also realized in between that when you change the PSK
>>> file, you must restart the dameon in order to have it taken into
>>> account. With that test (removing the key file), I saw a different
>>> behaviour as expected (no suitable key found). I have also requested
>>> a contact for the other part (VPN other side) to tell me what's wrong
>>> in their logs. Still waiting for an answer. Will follow up if any
>>> news. Many thanks.
>> You can force rereading psk with command 'ipsec auto --rereadsecrets'
>> without need for restart.
>>
> --
> Mathieu Rossignol
> Architecte/Développeur Big Data
>
> mathieu.rossignol at hurence.com | +33 (0)6 63646410
> Hurence SAS
> 400 Chemin des Longs Prés
> 38660 LUMBIN, France
> http://www.hurence.com
> <Image1>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190417/f6b1f46a/attachment.html>
More information about the Swan
mailing list