[Swan] Could not establish IPsec tunnel

Paul Wouters paul at nohats.ca
Wed Nov 13 20:06:33 UTC 2019


On Wed, 13 Nov 2019, Paul Smith wrote:

> I am trying to establish a L2TP VPN connection using libreswan on
> Fedora 31 to connect to a MS Windows server, but getting the problem
> below.

> 004 "ec9a3d05-1842-403a-84b5-371af56faa30" #1: STATE_MAIN_I4: ISAKMP
> SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1
> group=MODP1024}

phase 1 established.

> 002 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: initiating Quick Mode
> PSK+ENCRYPT+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
> {using isakmp#1 msgid:b951826e proposal=3DES_CBC-HMAC_SHA1_96
> pfsgroup=MODP1024}
> 117 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1: initiate
> 010 "ec9a3d05-1842-403a-84b5-371af56faa30" #2: STATE_QUICK_I1:
> retransmission; will wait 0.5 seconds for response

this times out. Usually it means the other end does not like your phase2
proposal but did not bother to tell you. Check the esp/phase2alg and pfs
settings. Also make sure you have leftprotoport/rightprotoport setup for
L2TP. Also check if you are using transport mode, not tunnel mode.

Paul


More information about the Swan mailing list