[Pkg-swan-devel] Bug#821286: strongswan: Cannot create ipsec tunnel after upgrade to 5.4

Andreas Tscharner andy at vis.ethz.ch
Sun Apr 17 10:42:30 UTC 2016 

Package: strongswan
Version: 5.4.0-1
Severity: normal

Dear Maintainer,

I have used strongswan to create an ipsec tunnel for a VPN connection to my
company. After stronswan was upgraded to 5.4 the formerly working configuration
does not longer work.

I get the following message:
initiating Main Mode IKE_SA vpn-metromec[1] to xxx.xxx.xxx.xxx
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from 192.168.0.12[500] to xxx.xxx.xxx.xxx[500] (212 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (248 bytes)
parsed ID_PROT response 0 [ SA V V V V V V V V V ]
received unknown vendor ID: f7:58:f2:26:68:75:0f:03:b0:8d:f6:eb:e1:d0:04:03
received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
received draft-ietf-ipsec-nat-t-ike-02 vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received draft-ietf-ipsec-nat-t-ike-03 vendor ID
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received unknown vendor ID: af:ca:d7:13:68:a1:f1:c9:6b:86:96:fc:77:57
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.0.12[500] to xxx.xxx.xxx.xxx[500] (236 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (220 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.0.12[4500] to xxx.xxx.xxx.xxx[4500] (92 bytes)
received packet: from xxx.xxx.xxx.xxx[500] to 192.168.0.12[500] (220 bytes)
received retransmit of response with ID 0, but next request already sent
received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.12[4500] (60 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA vpn-metromec[1] established between 192.168.0.12[192.168.0.12]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
scheduling reauthentication in 27872s
maximum IKE_SA lifetime 28412s
generating QUICK_MODE request 221974855 [ HASH SA No ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.0.12[4500] to xxx.xxx.xxx.xxx[4500] (220 bytes)
received packet: from xxx.xxx.xxx.xxx[4500] to 192.168.0.12[4500] (116 bytes)
parsed INFORMATIONAL_V1 request 503827175 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'vpn-metromec' failed

My ipsec.conf says:
conn vpn-metromec
     authby=secret
     rekey=yes
     keyingtries=3
     dpdaction=restart
     ikelifetime=8h
     keylife=1h
     keyexchange=ikev1
     ike=3des-md5-modp1024
     type=transport
     left=192.168.0.12
     leftsubnet=192.168.0.12[udp/1701]
     right=xxx.xxx.xxx.xxx
     rightsubnet=xxx.xxx.xxx.xxx[udp/1701]
     auto=add

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.5.0-1-amd64 (SMP w/12 CPU cores)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages strongswan depends on:
ii  strongswan-charon   5.4.0-1
ii  strongswan-starter  5.4.0-1

strongswan recommends no packages.

strongswan suggests no packages.

-- no debconf information

More information about the Pkg-swan-devel mailing list