<div><div>Good day, dear community.</div><div> </div><div>Andrew you are right, the problem was in <strong>compress</strong>, by changing the value to <strong>no</strong> the errors disappeared from the logs.</div><div> </div><div>Paul is right too. I switched to IKEv2, everything worked for me. But there are nuances, the values of <strong>leftsubnet</strong> and <strong>rightsubnets</strong> must be entered manually, IPSec does not automatically receive these values. PSK+XAUT cannot be configured in IKEv2. Authorization only by PSK or certificates. Also, after the <strong>ikelifetime</strong> time has elapsed, IPSec breaks and does not reconnect. I followed the advice https://github.com/hwdsl2/setup-ipsec-vpn/issues/913 and set ikelifetime=24h, but I think that after 24 hours IPSec will also break and not reconnect.</div><div> </div><div>Below is my current working config:</div><div> </div><div><div><em>conn fortinet</em></div><div><em>    authby=secret</em></div><div><em>    pfs=yes</em></div><div><em>    auto=start</em></div><div><em>    rekey=yes</em></div><div><em>    left=%defaultroute</em></div><div><em>    leftid=@<left_id></em></div><div><em>    leftsubnet=10.0.5.2/32</em></div><div><em>    leftmodecfgclient=yes</em></div><div><em>    right=<public_ip_fortinet></em></div><div><em>    rightid=<public_ip_fortinet></em></div><div><em>    rightsubnets=10.0.0.0/24,10.0.1.0/24,10.0.2.0/23,10.0.4.0/24,172.16.0.0/21</em></div><div><em>    rightmodecfgserver=yes</em></div><div><em>    modecfgpull=yes</em></div><div><em>    ignore-peer-dns=yes</em></div><div><em>    send-vendorid=yes</em></div><div><em>    dpddelay=3</em></div><div><em>    dpdtimeout=60</em></div><div><em>    dpdaction=restart</em></div><div><em>    fragmentation=yes</em></div><div><em>    encapsulation=yes</em></div><div><em>    ikev2=yes</em></div><div><em>    ipsec-interface=0</em></div><div><em>    keyexchange=ike</em></div><div><em>    ike=aes256-sha2_256;dh14</em></div><div><em>    phase2=esp</em></div><div><em>    phase2alg=aes256-sha2_256;dh14</em></div><div><em>    salifetime=24h</em></div><div><em>    type=tunnel</em></div><div><em>    ikelifetime=24h</em></div><div><em>    mobike=yes</em></div><div><em>    narrowing=yes</em></div><div> </div></div></div><div> </div><div>10.05.2023, 20:51, "Andrew Cagney" <andrew.cagney@gmail.com>:</div><blockquote><blockquote> May 8 19:54:05.721213: ABORT: ASSERTION FAILED: switch (ue->state.id.proto) case 108 (0x6c) unexpected (netlink_kernel_sa_expire() +2011 /programs/pluto/kernel_xfrm.c)</blockquote><p><br />108 is compression; I'd disable compression in the config.<br /><br />I filed <a href="https://github.com/libreswan/libreswan/issues/1130" rel="noopener noreferrer">https://github.com/libreswan/libreswan/issues/1130</a></p></blockquote>