I'm having a problem connecting to a VPN using Strongswan and I cannot find any resource online that solves the problem. It seems to me that the IPSec phase 1 connection is fine but phase 2 fails since right after I get "initiating Aggressive Mode IKE_SA work[2] to <vpn_ip_address>" I get "establishing connection 'work' failed".
I'm using the right PSK in ipsec.secrets because I test the connection using an Android app and it works.
My ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
config setup
basic configuration
conn %default
ikelifetime=3h
keylife=20
rekeymargin=1
keyexchange=ikev1
keyingtries=3
modeconfig=pull
aggressive=yes
xauth=client
closeaction=restart
conn work
left=192.168.21.45
leftid=home
leftauth=psk
leftauth2=xauth
xauth_identity=<my_username>
leftsendcert=never
right=<vpn_ip_address>
rightid=<vpn_ip_address>
rightauth=psk
auto=add
#ike=aes128-sha1-modp1536!
#esp=aes128-sha1-modp1536!
ike=aes128-sha1-modp1536,aes128-sha1-modp1536,3des-sha1-modp1536,3des-sha1-modp1536!
esp=aes128-sha1-modp1536,aes128-sha1-modp1536,3des-sha1-modp1536,3des-sha1-modp1536!
and my log output:
initiating Aggressive Mode IKE_SA work[1] to <vpn_ip_address>
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.21.45[500] to <vpn_ip_address>[500] (524 bytes)
received packet: from <vpn_ip_address>[500] to 192.168.21.45[500] (500 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V V ]
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received XAuth vendor ID
received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
received FRAGMENTATION vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.21.45[4500] to <vpn_ip_address>[4500] (108 bytes)
received packet: from <vpn_ip_address>[4500] to 192.168.21.45[4500] (76 bytes)
parsed TRANSACTION request 3388019831 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 3388019831 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.21.45[4500] to <vpn_ip_address>[4500] (108 bytes)
received packet: from <vpn_ip_address>[4500] to 192.168.21.45[4500] (76 bytes)
parsed TRANSACTION request 1716392366 [ HASH CPS(X_STATUS) ]
XAuth authentication of '<my_username>' (myself) successful
IKE_SA work[1] established between 192.168.21.45[home]...<vpn_ip_address>[<vpn_ip_address>]
scheduling reauthentication in 10799s
maximum IKE_SA lifetime 10800s
generating TRANSACTION response 1716392366 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.21.45[4500] to <vpn_ip_address>[4500] (76 bytes)
generating QUICK_MODE request 2683793279 [ HASH SA No KE ID ID ]
sending packet: from 192.168.21.45[4500] to <vpn_ip_address>[4500] (396 bytes)
received packet: from <vpn_ip_address>[4500] to 192.168.21.45[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 1993870300 [ HASH D ]
received DELETE for IKE_SA work[1]
deleting IKE_SA work[1] between 192.168.21.45[home]...<vpn_ip_address>[<vpn_ip_address>]
initiating Aggressive Mode IKE_SA work[2] to <vpn_ip_address>
establishing connection 'work' failed
Why is the client receiving a DELETE for the IKE_SA and is this the reason why establishing the phase 2 connection fails?
Any help would be greatly appreciated.
