[Openswan Users] State diagram?

Paul Wouters paul at nohats.ca
Sun Nov 24 17:40:04 UTC 2013

On Sun, 24 Nov 2013, Markus Falb wrote:

>> I'm having trouble setting up a VPN between two machines that are behind NAT firewalls (one is an Amazon EC2 instance).  I'm having trouble interpreting the error messages - I don't understand what the states reported actually mean - is there a diagram anywhere of what the transitions are between the states, and what the IP addresses used at each point are?
>> E.g. something like:
>> Initiator: STATE_MAIN_I1 - packet sent from "left" to "right" with source set to "blah"
>> Receiver: Waits for STATE_MAIN_I1 packet, expects source to be "blah" etc.
>> I'm getting stuck at STATE_MAIN_I3, but I'm not sure what should be happening at this stage: whether it is a routing issue or just misconfigured IP addresses.
> The lack of responses could indicate that IPSec is complicated and much more complicated to describe.

Or that openswan is not as actively developed and supported anymore
compared to libreswan or strongswan .....

If you got to STATE_MAIN_I3, it means some packets flowed between the
two endpoints. It could be an MTU / IKE packet size issue, especially
if using X.509 certificates.

Openswan does not support IKE fragmentation[*], but libreswan and strongswan do.

Posting more logging would help diagnosis.

[*] I've backported the libreswan IKE fragmentation support to openswan for
RHEL 6.5 which was released a few days ago.
Libreswan Developer - https://libreswan.org/
Red Hat Security - http://people.redhat.com/pwouters/
Personal Blog - https://nohats.ca/

More information about the Users mailing list