<div dir="ltr">I updated my system to Ubuntu 16.04 (linux 4.4.0-31-generic) and iproute2 4.5. <div>With similar configuration, I got:</div><div>
<p class="gmail-p1"><span class="gmail-s1">002 "routed-vpn" #1: initiating Main Mode<br></span>104 "routed-vpn" #1: STATE_MAIN_I1: initiate<br>003 "routed-vpn" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12<br>003 "routed-vpn" #1: received and ignored informational message<br>010 "routed-vpn" #1: STATE_MAIN_I1: retransmission; will wait 500ms for response<br>...<br>003 "routed-vpn" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12<br>003 "routed-vpn" #1: received and ignored informational message<br>031 "routed-vpn" #1: max number of retransmissions (8) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKEv1 message<br>000 "routed-vpn" #1: starting keying attempt 2 of at most 2, but releasing whack</p><p class="gmail-p1">Ipsec status shows following:</p><p class="gmail-p1"><span class="gmail-s1">000 "routed-vpn": <a href="http://0.0.0.0/0===192.168.0.20">0.0.0.0/0===192.168.0.20</a><192.168.0.20>...192.168.0.21<192.168.0.21>===<a href="http://0.0.0.0/0">0.0.0.0/0</a>; unrouted; eroute owner: #0<br></span>000 "routed-vpn": oriented; my_ip=unset; their_ip=unset<br>000 "routed-vpn": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]<br>000 "routed-vpn": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset, cat:unset;<br>000 "routed-vpn": labeled_ipsec:no;<br>000 "routed-vpn": policy_label:unset;<br>000 "routed-vpn": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2;<br>000 "routed-vpn": retransmit-interval: 500ms; retransmit-timeout: 60s;<br>000 "routed-vpn": sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;<br>000 "routed-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;<br>000 "routed-vpn": conn_prio: 0,0; interface: ens35; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;<br>000 "routed-vpn": nflog-group: unset; mark: 5/0xffffffff, 5/0xffffffff; vti-iface:vti01; vti-routing:no; vti-shared:no;<br>000 "routed-vpn": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 "routed-vpn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP4096(16)<br>000 "routed-vpn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)-MODP4096(16)<br>000 "routed-vpn": ESP algorithms wanted: AES(12)_128-SHA1(2)<br>000 "routed-vpn": ESP algorithms loaded: AES(12)_128-SHA1(2)</p><p class="gmail-p1">Do you have any pointer what's wrong here?</p><p class="gmail-p1">Thanks,<br>Xinwei</p></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Jul 9, 2016 at 1:06 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, 8 Jul 2016, Xinwei Hong wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Is it possible to provide the exact requirements for this feature? which kernel version and which iproute2 version? We want to push this feature to our production and would need to do<br>
packaging ourselves. <br>
</blockquote>
<br></span>
If I had known it, I would have told you. I just know the versions we<br>
started testing with and those work for sure.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Also, we currently use racoon+netkey to do policy-based vpn and pluto+klips to do route-based vpn. With this new feature, will we be able to do both with pluto+netkey? How to do<br>
policy-based VPN without racoon? <br>
</blockquote>
<br></span>
Yes you should be able to do both.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>