[Swan] IKEv2 causing netlink errors

Paul Wouters paul at nohats.ca
Tue Dec 10 22:44:58 UTC 2019

On Tue, 10 Dec 2019, Peter Rofner wrote:

>>>  Dec 10 07:04:14 [pluto] "Richmond_Home" #1: initiating v2 parent SA
>>>  Dec 10 07:04:14 [pluto] "Richmond_Home" #2: IKE SA authentication request
>>>  rejected by peer: AUTHENTICATION_FAILED
>>  Do you have a log of the peer for this? Only that end knows why it
>>  rejected this.
> Here's what I see on the peer end at that point:
> ----
> Dec 10 17:03:27 [pluto] "Richmond_Home" #2: ERROR: asynchronous network error 
> report on eno2 (sport=500) for message to x.x.x.x port 500, complainant 
> x.x.x.x: Connection refused [errno 111, origin ICMP type 3 code 3 (not 
> authenticated)]
> Dec 10 17:03:28 [pluto] "Richmond_Home" #2: STATE_PARENT_I1: retransmission; 
> will wait 0.5 seconds for response
> ----

That does not make sense. You must be looking at the wrong logs?
The IKEv2 negotiation goes:

IKE_SA_INIT request ----->
                     <----- IKE_SA_INIT reply
IKE_AUTH request    ----->
                     <----- IKE_AUTH reply

Your first log shows you sent IKE_SA_INIT request, got reply. Send
IKE_AUTH request and got a reply with AUTHENTICATION_FAILED

The second log shows it is not responder to anything, but initiating
its own IKE_SA_INIT request, and a firewall or gateway fails it or
the remote IP is not the right one.

There might be two things going on at the same time, but then you didnt
match up the attempts when you looked up the logs.


More information about the Swan mailing list