[Swan] Connect fails with STATE_V2_PARENT_I1 retransmission
Alex
mysqlstudent at gmail.com
Wed Jun 7 22:58:14 EEST 2023
Hi,
On Sun, Jun 4, 2023 at 12:19 PM Alex <mysqlstudent at gmail.com> wrote:
>
>> Jun 4 11:49:48.969175: "mail03-polaris" #4: sent IKE_SA_INIT reply
>> {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
>> Jun 4 11:49:49.468301: "mail03-polaris" #4: received duplicate
>> IKE_SA_INIT message request (Message ID 0); retransmitting response
>> Jun 4 11:49:49.968929: "mail03-polaris" #4: received duplicate
>> IKE_SA_INIT message request (Message ID 0); retransmitting response
>>
>
> I realized I may not have made it clear that my report and all of the
> information here is focused on the connection between mail03 and polaris.
>
> I thought it might also be helpful to have a bit of output from tcpdump on
> the server with the problem.
>
> # tcpdump -n -i enp3s0 esp or udp port 500 or udp port 4500 or tcp port
> 4500
> dropped privs to tcpdump
> tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
> listening on enp3s0, link-type EN10MB (Ethernet), snapshot length 262144
> bytes
> 12:14:37.375402 IP 68.195.111.45.isakmp > 147.135.9.126.isakmp: isakmp:
> parent_sa ikev2_init[I]
> 12:14:37.391669 IP 147.135.9.126.isakmp > 68.195.111.45.isakmp: isakmp:
> parent_sa ikev2_init[R]
>
> No esp traffic? I'm also not doing NAT-T so I suppose there wouldn't be
> any port 4500.
>
I figured out it may be related to adding a new IP address on the same
interface. Can I explicitly define the IP address to use?
I started to see traffic going out on the new IP address but not coming
back. I tried to open the firewall on the other side to accept traffic from
the new IP, but it also didn't work (I didn't actually think it would).
Ideas greatly appreciated
>
> Thanks,
> Alex
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230607/5dc1957c/attachment.htm>
More information about the Swan
mailing list