[Swan] Help needed: STATE_MAIN_I3: 60 second timeout exceeded after 7 retransmits. Possible authentication failure: no acceptable response to our first encrypted message

Paul Wouters paul at nohats.ca
Wed Apr 17 10:38:57 UTC 2019

You are using IKEv1, so check RFC 2409 :)

It could also be a large packet size issue if you are using certificates - try enabling fragmentation=yes 

Sent from mobile device

> On Apr 17, 2019, at 11:49, Mathieu Rossignol <mathieu.rossignol at hurence.com> wrote:
> Ok that's noted thx.
> BTW do you have an idea what the STATE_MAIN_I3 state i'm stuck is? I guess it's the state where you send your PSK key and are waiting for the other part to authenticate it, but I could not find any doc on this. The IKEv2 RFC does not mention that neither, nor the libreswan doc (https://libreswan.org/wiki/Pluto_internals). Would be great to have somewhere the mapping between internal libreswan states/state machine and the IKE PDUs spec or something. This would may be give a clue of what's happening. Even better in my case would potentially be a more explicit message...don't know....
>> On 4/17/19 11:37 AM, Tuomo Soini wrote:
>> On Wed, 17 Apr 2019 11:21:42 +0200
>> Mathieu Rossignol <mathieu.rossignol at hurence.com> wrote:
>>> Hi Tuomo,
>>> Thank you very much for your answer.
>>> My last setence was malformed (I meant 'like if the key was invalid') 
>>> and in fact I also realized in between that when you change the PSK 
>>> file, you must restart the dameon in order to have it taken into 
>>> account. With that test (removing the key file), I saw a different 
>>> behaviour as expected (no suitable key found). I have also requested
>>> a contact for the other part (VPN other side) to tell me what's wrong
>>> in their logs. Still waiting for an answer. Will follow up if any
>>> news. Many thanks.
>> You can force rereading psk with command 'ipsec auto --rereadsecrets'
>> without need for restart.
> -- 
> Mathieu Rossignol
> Architecte/Développeur Big Data
> mathieu.rossignol at hurence.com | +33 (0)6 63646410             
> Hurence SAS
> 400 Chemin des Longs Prés
> 38660 LUMBIN, France 
> http://www.hurence.com
> <Image1>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190417/f6b1f46a/attachment.html>

More information about the Swan mailing list