<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace">Using leftid=%fromcert did not help.</div><div class="gmail_default" style="font-family:monospace,monospace">I tried digging into the logs but I can't find the root cause.</div><div class="gmail_default" style="font-family:monospace,monospace">How can I troubleshoot PKI based authentication?</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">Thanks</div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><br><div>Noam Singer<br></div><div> </div><div><b><font face="arial, helvetica, sans-serif">Co-founder and </font></b><b><font face="arial, helvetica, sans-serif"><span>CSO</span> <br></font></b></div><div><b><font face="arial, helvetica, sans-serif">FortyCloud Ltd.</font></b></div><div>
<br></div>Cell: +972 54 242 1064<div>Fax: +972 72 215 2980</div><div>Email: <a href="mailto:noam@fortycloud.com" target="_blank">noam@fortycloud.com</a></div><div>Web: <a href="http://www.fortycloud.com" target="_blank">www.fortycloud.com</a><div style="width:16px;height:16px;display:inline-block"> </div> </div>
<div><span>Skype: noamsinger<br></span> <br></div><div><b><font color="#3366ff" face="arial, helvetica, sans-serif">FortyCloud - Make your Public Cloud Private</font></b></div><span><font color="#888888"></font></span></div></div></div></div></div>
<br><div class="gmail_quote">On Mon, Feb 1, 2016 at 3:20 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Try using leftid=%fromcert<br><br>The logs only showed the retransmits, not the original failure</div><div><br></div><div>Paul</div><div><br>Sent from my iPhone</div><div><div class="h5"><div><br>On Feb 1, 2016, at 14:02, Noam Singer <<a href="mailto:noam@fortycloud.com" target="_blank">noam@fortycloud.com</a>> wrote:<br><br></div><blockquote type="cite"><div><div dir="ltr"><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace">Hello </font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">I am trying to set an IPSec connection with certificates (same CA for both certs), but my connection does not pass the STATE_MAIN_I3 state.</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">Is there a way to better troubleshoot the PKI failures</font></div><div class="gmail_default"><font face="monospace, monospace">Am I doing something wrong?</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">I would appreciate any help.</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">Thanks in advance </font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><span style="font-family:monospace,monospace">I have setup the following configuration </span><br></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><div class="gmail_default"><font face="monospace, monospace">Using LibreSwan 3.15</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div></div><div class="gmail_default"><font face="monospace, monospace">/etc/ipsec.secrets:</font></div><div class="gmail_default"><font face="monospace, monospace">-------------------</font></div><div class="gmail_default"><font face="monospace, monospace">54.194.188.148 54.194.210.197 : RSA globalCertificate</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">/etc/ipsec.conf:</font></div><div class="gmail_default"><font face="monospace, monospace">----------------</font></div><div class="gmail_default"><font face="monospace, monospace">config setup</font></div><div class="gmail_default"><font face="monospace, monospace"> plutodebug = all</font></div><div class="gmail_default"><font face="monospace, monospace">include /etc/ipsec.d/*.conf</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">/etc/ipsec.d/connST603.conf:</font></div><div class="gmail_default"><font face="monospace, monospace">----------------------------</font></div><div class="gmail_default"><font face="monospace, monospace">conn connST603</font></div><div class="gmail_default"><font face="monospace, monospace"> authby = rsasig</font></div><div class="gmail_default"><font face="monospace, monospace"> auto = start</font></div><div class="gmail_default"><font face="monospace, monospace"> dpdaction = restart</font></div><div class="gmail_default"><font face="monospace, monospace"> dpddelay = 30</font></div><div class="gmail_default"><font face="monospace, monospace"> dpdtimeout = 120</font></div><div class="gmail_default"><font face="monospace, monospace"> esp = aes128-sha1</font></div><div class="gmail_default"><font face="monospace, monospace"> forceencaps = yes</font></div><div class="gmail_default"><font face="monospace, monospace"> ike = aes128-sha1</font></div><div class="gmail_default"><font face="monospace, monospace"> ikelifetime = 86400s</font></div><div class="gmail_default"><font face="monospace, monospace"> left = %defaultroute</font></div><div class="gmail_default"><font face="monospace, monospace"> leftcert = globalCertificate</font></div><div class="gmail_default"><font face="monospace, monospace"> leftid = 54.194.188.148</font></div><div class="gmail_default"><font face="monospace, monospace"> leftrsasigkey = %cert</font></div><div class="gmail_default"><font face="monospace, monospace"> leftsubnets = <a href="http://172.24.128.0/24" target="_blank">172.24.128.0/24</a></font></div><div class="gmail_default"><font face="monospace, monospace"> lifetime = 28800s</font></div><div class="gmail_default"><font face="monospace, monospace"> pfs = no</font></div><div class="gmail_default"><font face="monospace, monospace"> right = 54.194.210.197</font></div><div class="gmail_default"><font face="monospace, monospace"> rightid = 54.194.210.197</font></div><div class="gmail_default"><font face="monospace, monospace"> rightsubnets = <a href="http://172.24.131.0/24" target="_blank">172.24.131.0/24</a></font></div><div class="gmail_default"><font face="monospace, monospace"> type = tunnel</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><span style="white-space:pre-wrap"><font face="monospace, monospace"> </font></span></div><div class="gmail_default"><font face="monospace, monospace">** I also tried using leftid="CN=...", but got similar results<span style="white-space:pre-wrap"> </span></font></div><div class="gmail_default"><span style="white-space:pre-wrap"><font face="monospace, monospace"> </font></span></div><div class="gmail_default"><font face="monospace, monospace">The certificates look fine to me</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">The signed certificate:</font></div><div class="gmail_default"><font face="monospace, monospace">-----------------------</font></div><div class="gmail_default"><font face="monospace, monospace">openssl x509 -text -noout -in /etc/xxx/globalCertificate.pem</font></div><div class="gmail_default"><font face="monospace, monospace">Certificate:</font></div><div class="gmail_default"><font face="monospace, monospace"> Data:</font></div><div class="gmail_default"><font face="monospace, monospace"> Version: 3 (0x2)</font></div><div class="gmail_default"><font face="monospace, monospace"> Serial Number: 1 (0x1)</font></div><div class="gmail_default"><font face="monospace, monospace"> Signature Algorithm: sha256WithRSAEncryption</font></div><div class="gmail_default"><font face="monospace, monospace"> Issuer: CN=noamPlay3, OU=noamPlay3</font></div><div class="gmail_default"><font face="monospace, monospace"> Validity</font></div><div class="gmail_default"><font face="monospace, monospace"> Not Before: Jan 27 16:15:17 2016 GMT</font></div><div class="gmail_default"><font face="monospace, monospace"> Not After : Jan 26 16:15:17 2026 GMT</font></div><div class="gmail_default"><font face="monospace, monospace"> Subject: CN=54.194.188.148</font></div><div class="gmail_default"><font face="monospace, monospace"> Subject Public Key Info:</font></div><div class="gmail_default"><font face="monospace, monospace"> Public Key Algorithm: rsaEncryption</font></div><div class="gmail_default"><font face="monospace, monospace"> Public-Key: (2048 bit)</font></div><div class="gmail_default"><font face="monospace, monospace"> Modulus:</font></div><div class="gmail_default"><font face="monospace, monospace"> 00:f1:c5:ba:5d:a7:a9:6d:5c:00:06:93:81:4a:11:</font></div><div class="gmail_default"><font face="monospace, monospace"> 92:b9:4f:80:31:8f:47:75:87:d7:05:dd:33:a8:c6:</font></div><div class="gmail_default"><font face="monospace, monospace"> f6:c8:4c:6d:32:ce:bd:25:25:43:4c:d1:10:4c:50:</font></div><div class="gmail_default"><font face="monospace, monospace"> ee:6b:b5:d4:1f:0f:aa:82:ea:b4:11:d3:98:66:c1:</font></div><div class="gmail_default"><font face="monospace, monospace"> 91:36:ff:7e:db:71:20:24:0c:cb:63:51:e0:eb:8f:</font></div><div class="gmail_default"><font face="monospace, monospace"> 80:43:62:1a:c6:6e:83:f8:20:d7:7a:47:51:de:87:</font></div><div class="gmail_default"><font face="monospace, monospace"> e2:5f:0c:4c:0e:ae:ec:97:1d:c6:ed:12:d2:4c:73:</font></div><div class="gmail_default"><font face="monospace, monospace"> 37:cf:ea:db:ea:f3:74:41:8e:a9:97:c8:79:a4:92:</font></div><div class="gmail_default"><font face="monospace, monospace"> d9:56:35:43:a5:b4:1d:fb:bc:16:ee:07:ce:99:6f:</font></div><div class="gmail_default"><font face="monospace, monospace"> 6a:93:13:10:da:18:4f:bc:30:da:90:15:16:99:d4:</font></div><div class="gmail_default"><font face="monospace, monospace"> ba:44:92:49:6e:d6:6b:9a:c3:4e:d3:0a:bb:d7:31:</font></div><div class="gmail_default"><font face="monospace, monospace"> aa:59:1a:8b:bd:8a:59:e9:0b:8d:2e:51:02:44:20:</font></div><div class="gmail_default"><font face="monospace, monospace"> 77:32:06:cf:c9:70:4c:9a:6b:ba:42:3f:da:3d:28:</font></div><div class="gmail_default"><font face="monospace, monospace"> 61:52:98:34:34:01:c9:77:00:fa:90:b0:ac:d6:ff:</font></div><div class="gmail_default"><font face="monospace, monospace"> 01:4e:05:4e:9f:4b:a4:71:a4:2d:bc:f6:67:fa:cf:</font></div><div class="gmail_default"><font face="monospace, monospace"> 1e:30:2d:85:12:3f:1d:4c:ba:73:81:86:94:92:32:</font></div><div class="gmail_default"><font face="monospace, monospace"> 56:29:a7:2e:4d:0b:87:1b:a6:4e:52:ce:9b:f3:d2:</font></div><div class="gmail_default"><font face="monospace, monospace"> 87:d5</font></div><div class="gmail_default"><font face="monospace, monospace"> Exponent: 65537 (0x10001)</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 extensions:</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Basic Constraints:</font></div><div class="gmail_default"><font face="monospace, monospace"> CA:FALSE</font></div><div class="gmail_default"><font face="monospace, monospace"> Netscape Cert Type:</font></div><div class="gmail_default"><font face="monospace, monospace"> SSL Server</font></div><div class="gmail_default"><font face="monospace, monospace"> Netscape Comment:</font></div><div class="gmail_default"><font face="monospace, monospace"> Easy-RSA Generated Server Certificate</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Subject Key Identifier:</font></div><div class="gmail_default"><font face="monospace, monospace"> B1:60:43:05:B6:73:62:73:B4:53:3A:7B:08:AB:C1:6F:D3:22:3E:1D</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Authority Key Identifier:</font></div><div class="gmail_default"><font face="monospace, monospace"> keyid:BB:BC:B5:D7:19:19:E3:78:67:EE:E4:DF:FE:E8:97:EB:29:31:60:07</font></div><div class="gmail_default"><font face="monospace, monospace"> DirName:/CN=noamPlay3/OU=noamPlay3</font></div><div class="gmail_default"><font face="monospace, monospace"> serial:F0:90:EB:0D:FC:14:A2:BB</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Extended Key Usage:</font></div><div class="gmail_default"><font face="monospace, monospace"> TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Key Usage:</font></div><div class="gmail_default"><font face="monospace, monospace"> Digital Signature, Key Encipherment</font></div><div class="gmail_default"><font face="monospace, monospace"> Signature Algorithm: sha256WithRSAEncryption</font></div><div class="gmail_default"><font face="monospace, monospace"> 6a:4a:bf:51:ab:1e:70:c1:c1:2b:82:ad:61:f8:a4:e1:9a:45:</font></div><div class="gmail_default"><font face="monospace, monospace"> c4:d0:5a:d1:f0:97:4c:f1:48:33:a7:2d:d1:fa:01:d4:f2:6f:</font></div><div class="gmail_default"><font face="monospace, monospace"> 34:df:dc:ad:36:7b:2a:01:9d:5f:63:c8:04:9b:e9:80:da:e4:</font></div><div class="gmail_default"><font face="monospace, monospace"> ed:3e:b2:34:e9:15:b9:97:dc:4b:52:9c:c4:1e:12:a5:4c:28:</font></div><div class="gmail_default"><font face="monospace, monospace"> 7f:80:d0:f8:a6:7d:6f:bd:26:0f:c6:fe:50:a6:87:5f:80:9f:</font></div><div class="gmail_default"><font face="monospace, monospace"> 95:85:90:b6:77:9e:c5:38:7e:f2:ba:1a:ff:2a:42:f6:26:c1:</font></div><div class="gmail_default"><font face="monospace, monospace"> 98:31:e1:c8:23:ed:4f:ce:35:89:a7:f3:58:df:f4:97:2b:54:</font></div><div class="gmail_default"><font face="monospace, monospace"> a0:89:a0:f3:8c:77:a5:79:99:19:43:f8:b9:1d:cf:63:f7:5f:</font></div><div class="gmail_default"><font face="monospace, monospace"> 0c:98:18:76:a7:11:6c:e2:71:b9:94:bf:95:d9:7f:d9:2c:09:</font></div><div class="gmail_default"><font face="monospace, monospace"> 38:0f:74:d2:78:02:25:61:d6:a0:2f:b5:14:d6:a9:98:cc:3d:</font></div><div class="gmail_default"><font face="monospace, monospace"> 32:7a:34:0c:28:8d:da:ca:b0:c9:3c:e2:be:4b:44:9e:b0:70:</font></div><div class="gmail_default"><font face="monospace, monospace"> 2a:f2:4e:9f:9b:6a:7a:86:10:85:ab:33:2b:c7:10:3c:ee:9d:</font></div><div class="gmail_default"><font face="monospace, monospace"> a2:85:25:b1:1c:78:dd:fe:b4:37:ed:b8:c4:33:57:a7:72:1d:</font></div><div class="gmail_default"><font face="monospace, monospace"> 42:c3:9c:b7:ba:db:cf:c6:e1:12:e7:7e:8d:ff:55:c5:bc:6c:</font></div><div class="gmail_default"><font face="monospace, monospace"> a4:29:4f:5e</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><font face="monospace, monospace">The CA certificate:</font></div><div class="gmail_default"><font face="monospace, monospace">-------------------</font></div><div class="gmail_default"><font face="monospace, monospace">openssl x509 -text -noout -in /etc/xxx/globalCA.pem</font></div><div class="gmail_default"><font face="monospace, monospace">Certificate:</font></div><div class="gmail_default"><font face="monospace, monospace"> Data:</font></div><div class="gmail_default"><font face="monospace, monospace"> Version: 3 (0x2)</font></div><div class="gmail_default"><font face="monospace, monospace"> Serial Number: 17334613411045352123 (0xf090eb0dfc14a2bb)</font></div><div class="gmail_default"><font face="monospace, monospace"> Signature Algorithm: sha1WithRSAEncryption</font></div><div class="gmail_default"><font face="monospace, monospace"> Issuer: CN=noamPlay3, OU=noamPlay3</font></div><div class="gmail_default"><font face="monospace, monospace"> Validity</font></div><div class="gmail_default"><font face="monospace, monospace"> Not Before: Jul 9 13:58:30 2014 GMT</font></div><div class="gmail_default"><font face="monospace, monospace"> Not After : Jul 8 13:58:30 2024 GMT</font></div><div class="gmail_default"><font face="monospace, monospace"> Subject: CN=noamPlay3, OU=noamPlay3</font></div><div class="gmail_default"><font face="monospace, monospace"> Subject Public Key Info:</font></div><div class="gmail_default"><font face="monospace, monospace"> Public Key Algorithm: rsaEncryption</font></div><div class="gmail_default"><font face="monospace, monospace"> Public-Key: (2048 bit)</font></div><div class="gmail_default"><font face="monospace, monospace"> Modulus:</font></div><div class="gmail_default"><font face="monospace, monospace"> 00:c9:43:4b:cf:ba:8a:3c:61:e7:8a:0b:e7:08:10:</font></div><div class="gmail_default"><font face="monospace, monospace"> 06:3e:62:6d:ee:7f:a3:65:62:ad:cd:e2:c3:47:48:</font></div><div class="gmail_default"><font face="monospace, monospace"> b5:2d:98:5f:7e:78:da:83:d6:cd:6b:e1:4e:f5:00:</font></div><div class="gmail_default"><font face="monospace, monospace"> 95:5d:5d:73:40:dd:5f:f1:4d:25:ff:1c:58:0b:d3:</font></div><div class="gmail_default"><font face="monospace, monospace"> 12:65:f1:81:00:d8:0d:6e:43:25:fc:44:be:b2:ea:</font></div><div class="gmail_default"><font face="monospace, monospace"> 0b:03:ff:61:d0:64:23:ae:5b:51:b5:09:46:cf:40:</font></div><div class="gmail_default"><font face="monospace, monospace"> 7e:06:c9:8e:52:5b:bc:45:22:25:f8:7a:9b:10:a8:</font></div><div class="gmail_default"><font face="monospace, monospace"> 88:9f:d4:3f:1e:9d:50:0d:06:f7:5e:9f:66:dc:ca:</font></div><div class="gmail_default"><font face="monospace, monospace"> 75:e2:57:2d:1a:2a:18:16:bc:df:8e:1e:85:7c:cb:</font></div><div class="gmail_default"><font face="monospace, monospace"> c1:3f:1c:41:2e:15:42:74:1b:c0:b8:59:c1:55:94:</font></div><div class="gmail_default"><font face="monospace, monospace"> 1c:7b:54:57:4e:de:87:3e:ae:eb:a8:20:a4:c5:ed:</font></div><div class="gmail_default"><font face="monospace, monospace"> d2:4f:fe:82:1a:cf:f3:04:f6:d0:11:06:91:32:14:</font></div><div class="gmail_default"><font face="monospace, monospace"> e1:87:79:cf:e5:da:fd:ba:5f:12:14:d6:db:c7:0a:</font></div><div class="gmail_default"><font face="monospace, monospace"> d9:f3:16:e4:8f:16:aa:b8:f8:c6:d7:dd:03:08:b3:</font></div><div class="gmail_default"><font face="monospace, monospace"> 19:fc:1d:11:de:b9:fe:21:bd:7a:40:95:d5:20:88:</font></div><div class="gmail_default"><font face="monospace, monospace"> 30:9a:34:88:b4:19:1c:26:5a:10:05:af:65:95:7a:</font></div><div class="gmail_default"><font face="monospace, monospace"> ce:3e:ee:0d:68:9f:03:03:53:86:7f:0f:d5:30:c8:</font></div><div class="gmail_default"><font face="monospace, monospace"> 7b:d9</font></div><div class="gmail_default"><font face="monospace, monospace"> Exponent: 65537 (0x10001)</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 extensions:</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Subject Key Identifier:</font></div><div class="gmail_default"><font face="monospace, monospace"> BB:BC:B5:D7:19:19:E3:78:67:EE:E4:DF:FE:E8:97:EB:29:31:60:07</font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Authority Key Identifier:</font></div><div class="gmail_default"><font face="monospace, monospace"> keyid:BB:BC:B5:D7:19:19:E3:78:67:EE:E4:DF:FE:E8:97:EB:29:31:60:07</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace"> X509v3 Basic Constraints:</font></div><div class="gmail_default"><font face="monospace, monospace"> CA:TRUE</font></div><div class="gmail_default"><font face="monospace, monospace"> Signature Algorithm: sha1WithRSAEncryption</font></div><div class="gmail_default"><font face="monospace, monospace"> 21:a4:f4:dc:99:d2:5f:48:cb:4c:af:99:e9:72:fe:c9:17:55:</font></div><div class="gmail_default"><font face="monospace, monospace"> 38:d0:ff:f0:a1:d1:8f:d2:8a:17:55:1e:b6:12:1f:9e:9d:34:</font></div><div class="gmail_default"><font face="monospace, monospace"> d7:c8:3b:5d:d4:7e:8a:9b:5d:c8:ef:c4:1b:70:c4:2d:61:97:</font></div><div class="gmail_default"><font face="monospace, monospace"> 5f:42:5b:e3:11:d9:fe:bc:e8:4d:33:cf:ba:fc:7d:b9:2a:33:</font></div><div class="gmail_default"><font face="monospace, monospace"> da:ca:7b:34:a3:44:77:c8:1f:27:f3:bc:2d:68:8c:f8:41:b2:</font></div><div class="gmail_default"><font face="monospace, monospace"> 42:fd:04:38:96:32:b0:b2:16:00:cc:b0:6d:76:77:38:ff:c7:</font></div><div class="gmail_default"><font face="monospace, monospace"> 0d:39:ec:12:9f:d2:cd:35:0a:22:da:a3:db:01:37:67:e4:92:</font></div><div class="gmail_default"><font face="monospace, monospace"> 9b:39:db:8d:c3:e2:28:47:f9:1b:62:20:41:49:cf:60:2d:09:</font></div><div class="gmail_default"><font face="monospace, monospace"> f7:b8:e0:68:16:ba:be:b9:ed:4b:f5:3f:7d:97:5a:7a:6f:38:</font></div><div class="gmail_default"><font face="monospace, monospace"> f1:62:91:f8:19:37:e2:fa:8a:96:71:be:93:49:92:e8:20:9c:</font></div><div class="gmail_default"><font face="monospace, monospace"> dd:e5:25:00:67:2e:77:2a:29:66:40:42:63:fd:5d:17:29:21:</font></div><div class="gmail_default"><font face="monospace, monospace"> 1b:4a:c2:c6:71:8e:6d:7f:ee:a7:24:ac:97:96:54:a1:7f:a9:</font></div><div class="gmail_default"><font face="monospace, monospace"> 35:7b:be:f8:41:3b:82:62:29:4d:86:7e:8f:66:1e:51:fe:cf:</font></div><div class="gmail_default"><font face="monospace, monospace"> a6:39:d8:ed:61:e1:cb:a2:8e:61:7b:c0:c8:a8:92:ae:03:ac:</font></div><div class="gmail_default"><font face="monospace, monospace"> de:93:bf:fb</font></div><div class="gmail_default"><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><font face="monospace, monospace">I believe the related logs for the failure are the following:</font></div><div class="gmail_default"><font face="monospace, monospace">-------------------------------------------------------------</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">One side:</font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | handling event EVENT_v1_RETRANSMIT for state #2</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | processing connection "connST603/1x1"</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | handling event EVENT_v1_RETRANSMIT for 54.194.210.197 "connST603/1x1" #2 attempt 0 of 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: "connST603/1x1" #2: max number of retransmissions (8) reached STATE_MAIN_R2</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: "connST603/1x1" #2: deleting state #2 (STATE_MAIN_R2)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | parent state #2: STATE_MAIN_R2(open-ike) > delete</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | state: #2 requesting to delete non existing event</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | unhashing state object #2</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | removing state 0x7f9ccfda9e70 entry 0x7f9ccfdaa4d8 next (nil) prev-next 0x7f9cce0e5338 from list</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | updated next entry is (nil)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | removing state 0x7f9ccfda9e70 entry 0x7f9ccfdaa4f0 next (nil) prev-next 0x7f9cce0e54b8 from list</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | updated next entry is (nil)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | parent state #2: STATE_MAIN_R2(open-ike) > STATE_UNDEFINED(ignore)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | ignore states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | half-open-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | open-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | established-anonymous-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | established-authenticated-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | anonymous-ipsec states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | authenticated-ipsec states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | informational states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | unknown states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | category states: 0 count states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skeyseed_nss: free key 0x7f9ccfda2720</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_d_nss: free key 0x7f9cc00115f0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_ai_nss: free key 0x7f9cc0015ab0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_ar_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_ei_nss: free key 0x7f9cc0017330</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_er_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_pi_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_skey_pr_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-195 pluto[16502]: | st->st_enc_key_nss: free key 0x7f9cc0018bb0</font></div><div class="gmail_default"><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><font face="monospace, monospace">Other side:<span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><font face="monospace, monospace"><br></font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | handling event EVENT_v1_RETRANSMIT for state #1</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | processing connection "connST603/1x1"</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | handling event EVENT_v1_RETRANSMIT for 54.194.188.148 "connST603/1x1" #1 attempt 1 of 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: "connST603/1x1" #1: max number of retransmissions (8) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: "connST603/1x1" #1: deleting state #1 (STATE_MAIN_I3)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | parent state #1: STATE_MAIN_I3(open-ike) > delete</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | state: #1 requesting to delete non existing event</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | removing pending policy for "connST603/1x1" {0x7fdf350ed320}</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | unhashing state object #1</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | removing state 0x7fdf350e9f50 entry 0x7fdf350ea5b8 next (nil) prev-next 0x7fdf340f2338 from list</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | updated next entry is (nil)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | removing state 0x7fdf350e9f50 entry 0x7fdf350ea5d0 next (nil) prev-next 0x7fdf340f24b8 from list</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | updated next entry is (nil)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | parent state #1: STATE_MAIN_I3(open-ike) > STATE_UNDEFINED(ignore)</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | ignore states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | half-open-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | open-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | established-anonymous-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | established-authenticated-ike states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | anonymous-ipsec states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | authenticated-ipsec states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | informational states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | unknown states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | category states: 0 count states: 0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skeyseed_nss: free key 0x7fdf24006910</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_d_nss: free key 0x7fdf240098e0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_ai_nss: free key 0x7fdf2400b160</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_ar_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_ei_nss: free key 0x7fdf2400c9e0</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_er_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_pi_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_skey_pr_nss: free key NULL</font></div><div class="gmail_default"><font face="monospace, monospace">Feb 1 12:53:01 ip-10-10-10-78 pluto[28151]: | st->st_enc_key_nss: free key 0x7fdf2400e260</font></div><div class="gmail_default"><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span> </font></div><div class="gmail_default"><br></div><div class="gmail_default"><br></div><div class="gmail_default"> <br></div></div><div><div><div dir="ltr"><div dir="ltr"><span><font color="#888888"></font></span></div></div></div></div>
</div>
</div></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Swan mailing list</span><br><span><a href="mailto:Swan@lists.libreswan.org" target="_blank">Swan@lists.libreswan.org</a></span><br><span><a href="https://lists.libreswan.org/mailman/listinfo/swan" target="_blank">https://lists.libreswan.org/mailman/listinfo/swan</a></span><br></div></blockquote></div></blockquote></div><br></div>