# openswan 2.4.9-r1: pluto ASSERTION FAILED

## David E

I am seeing the below listed out put from ipsec verify. Since this is my first time trying to set up a VPN this problem is likely due to a configuration error so I figured I ask for help here before filing a bug.

```
# ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.4.9/K2.6.23-gentoo-r6 (netkey)

Checking for IPsec support in kernel                            [OK]

NETKEY detected, testing for disabled ICMP send_redirects       [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]

[b]Checking that pluto is running                                  [FAILED]

  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)[/b]

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:

   Looking for TXT in forward dns zone: localhost               [MISSING]

   Does the machine have at least one non-private address?      [OK]

   Looking for TXT in reverse dns zone: 38.167.243.130.in-addr.arpa.    [MISSING]
```

I believe that this is caused by pluto hitting this assertion  "localhost pluto[21512]: ASSERTION FAILED at kernel_alg.c:264: buflen>0". Does anyone know what is causing the assertion failure and a solution/workaround for it.

```

 /var/log/messages:

...

Feb  5 04:17:52 localhost pluto[21512]: | pfkey_lib_debug:pfkey_msg_parse: extensions permi

tted=00000001, seen=00000001, required=00000001. 

Feb  5 04:17:52 localhost pluto[21512]: | finish_pfkey_msg: SADB_REGISTER message 2 for ESP

 

Feb  5 04:17:52 localhost pluto[21512]: |   02 07 00 03  02 00 00 00  02 00 00 00  08 54 00

 00

Feb  5 04:17:52 localhost pluto[21512]: | pfkey_get: SADB_REGISTER message 2

Feb  5 04:17:52 localhost pluto[21512]: | alg_init():memset(0x6ad200, 0, 2016) memset(0x6ad

9e0, 0, 2048) 

Feb  5 04:17:52 localhost pluto[21512]: ASSERTION FAILED at kernel_alg.c:264: buflen>0

Feb  5 04:17:52 localhost pluto[21512]: %myid = (none)

Feb  5 04:17:52 localhost pluto[21512]: debug raw+crypt+parsing+emitting+control+lifecycle+

klips+dns+oppo+controlmore+pfkey+nattraversal+x509

Feb  5 04:17:52 localhost pluto[21512]:  

Feb  5 04:17:52 localhost pluto[21512]:  

Feb  5 04:17:52 localhost pluto[21512]: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, 

blocksize=8, keydeflen=192

...

```

My setup:

openswan 2.4.9-r1

2.6.23-gentoo-r6

```
$ grep NET .config | grep -v ^#

CONFIG_NET=y

CONFIG_NET_KEY=m

CONFIG_INET=y

CONFIG_INET_AH=m

CONFIG_INET_ESP=m

CONFIG_INET_IPCOMP=m

CONFIG_INET_XFRM_TUNNEL=m

CONFIG_INET_TUNNEL=m

CONFIG_INET_XFRM_MODE_TRANSPORT=m

CONFIG_INET_XFRM_MODE_TUNNEL=m

CONFIG_INET_DIAG=y

CONFIG_INET_TCP_DIAG=y

CONFIG_SCSI_NETLINK=y

CONFIG_NETDEVICES=y

CONFIG_NETDEV_1000=y

```

```

/etc/ipsec/ipsec.conf

config setup

        plutodebug=all

        nat_traversal=yes

include /etc/ipsec/bla.conf

```

```

/etc/ipsec/bla.conf

conn bla

        left=%defaultrout

        leftid=XXX.XXX.XXX.XXX

        right=bla.org

        rightsubnet=192.168.27.0/24

        rightid=@bla.org

        auto=start

        aggrmode=yes

        authby=secret

        pfs=no

        ike=3des-sha1-modp1024
```

```

/etc/ipsec/ipsec.secure

XXX.XXX.XXX.XXX @bla.org : PSK "XXXX"

```

Thanks,

David

----------

## xanthax

I got exactly the same problem, anyone got any ideas ???  :Crying or Very sad: 

EDIT:

Got this in message log

```

Feb 28 21:00:58 router pluto[16947]: adding interface eth0/eth0 [server-ip]:500

Feb 28 21:00:58 router pluto[16947]: adding interface eth0/eth0 [server-ip]:4500

Feb 28 21:00:58 router pluto[16947]: loading secrets from "/etc/ipsec/ipsec.secrets"

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: initiating Main Mode

Feb 28 21:00:58 router ipsec__plutorun: 104 "local-kp" #1: STATE_MAIN_I1: initiate

Feb 28 21:00:58 router ipsec__plutorun: ...could not start conn "local-kp"

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: ignoring unknown Vendor ID payload [8f9cc94e01248ecdf147594c284b213b]

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] method set to=107

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 107

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: I did not send a certificate because I do not have one.

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: Main mode peer ID is ID_IPV4_ADDR: '[server-ip]'

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Feb 28 21:00:58 router pluto[16947]: "local-kp" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sh$

Feb 28 21:00:58 router pluto[16947]: "local-kp" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}

Feb 28 21:00:59 router pluto[16947]: "local-kp" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

Feb 28 21:00:59 router pluto[16947]: "local-kp" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xdd53656c <0x88d1aee0 xfrm=3DES_0-HMAC_SHA1 NATD=n$

Feb 28 21:01:40 router pluto[16947]: "local-kp" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x04656705) not found (maybe expired)

Feb 28 21:01:40 router pluto[16947]: "local-kp" #1: received and ignored informational message

Feb 28 21:07:05 router pluto[16947]: packet from [ext-server-ip]:500: Informational Exchange is for an unknown (expired?) SA

Feb 28 21:07:05 router pluto[16947]: "local-kp" #1: received Delete SA payload: deleting ISAKMP State #1

Feb 28 21:07:05 router pluto[16947]: packet from [ext-server-ip]:500: received and ignored informational message

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: ignoring unknown Vendor ID payload [8f9cc94e01248ecdf147594c284b213b]

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] method set to=107

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: responding to Main Mode

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: STATE_MAIN_R1: sent MR1, expecting MI2

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: STATE_MAIN_R2: sent MR2, expecting MI3

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: Main mode peer ID is ID_IPV4_ADDR: '[ext-server-ip]'

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: I did not send a certificate because I do not have one.

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Feb 28 21:07:09 router pluto[16947]: "local-kp" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 $

Feb 28 21:07:09 router pluto[16947]: "local-kp" #4: we require PFS but Quick I1 SA specifies no GROUP_DESCRIPTION

Feb 28 21:07:09 router pluto[16947]: "local-kp" #4: sending encrypted notification NO_PROPOSAL_CHOSEN to [ext-server-ip]:500

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: ASSERTION FAILED at ikev1_quick.c:1847: st->st_connection != NULL

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: interface eth0/eth0 [server-ip]

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: interface eth0/eth0 [server-ip]

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: interface lo/lo 127.0.0.1

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: interface lo/lo 127.0.0.1

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: interface eth1/eth1 192.168.0.1

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: interface eth1/eth1 192.168.0.1

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: %myid = (none)

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: debug none

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500:

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysiz$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500:

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500:

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500:

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: "local-kp": 192.168.0.0/24===[server-ip]---90.225.75.129...90.225.75.129---80.252.220.$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: "local-kp":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: "local-kp":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%;$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: "local-kp":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: es$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: "local-kp":   newest ISAKMP SA: #3; newest IPsec SA: #2;

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: "local-kp":   IKE algorithm newest: AES_CBC_128-MD5-MODP1024

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500:

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: #2: "local-kp":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in $

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: #2: "local-kp" esp.dd53656c@[ext-server-ip] esp.88d1aee0@[server-ip] tun.0@[ext-server-ip]$

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500: #3: "local-kp":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in $

Feb 28 21:07:09 router pluto[16947]: packet from [ext-server-ip]:500:

Feb 28 21:07:09 router ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 237: 16947 Aborted                 /usr/libexec/ipsec/pluto --nofork --secretsfile /e$

Feb 28 21:07:09 router ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)

Feb 28 21:07:09 router ipsec__plutorun: restarting IPsec after pause...

Feb 28 21:07:19 router rc-scripts: ERROR: wrong args ( _autorestart )

Feb 28 21:07:19 router rc-scripts: Usage: ipsec { start|stop|restart }

Feb 28 21:07:19 router rc-scripts:        ipsec without arguments for full help

```

*I only edited out my ip*

And it looks like the link goeas upp for a while but then closes...

----------

## xanthax

Looks like the problem is in our "ipsec.secrets" ???

when i remove my PSK string that is formed like this:

[myip] [remoteip]: PSK "PSK-STRING"

and only use the RSA it works ???

Any ideas ?

EDIT:

It only worked for a while and now i get the same error...

and im using the following versions...

net-misc/openswan-2.4.9-r1

sys-apps/gawk-3.1.5-r5

----------

## xanthax

Oki, since i still cant get this problem fixed i need help.

I start IPSEC and it all looks fine

```
router ~ # /etc/init.d/ipsec start

 * Starting IPSEC ... ...

ipsec_setup: Starting Openswan IPsec U2.4.9/K2.6.23-gentoo-r9...          [ ok ]
```

i do a ipsec verify and it all looks good.

```
router ~ # ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.4.9/K2.6.23-gentoo-r9 (netkey)

Checking for IPsec support in kernel                            [OK]

NETKEY detected, testing for disabled ICMP send_redirects       [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]

Checking that pluto is running                                  [OK]

Two or more interfaces found, checking IP forwarding            [OK]

Checking NAT and MASQUERADEing

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]
```

after wating a while before retyping ipsec verify i get this ???

```
router ~ # ipsec verify

Checking your system to see if IPsec got installed and started correctly:

Version check and ipsec on-path                                 [OK]

Linux Openswan U2.4.9/K2.6.23-gentoo-r9 (netkey)

Checking for IPsec support in kernel                            [OK]

NETKEY detected, testing for disabled ICMP send_redirects       [OK]

NETKEY detected, testing for disabled ICMP accept_redirects     [OK]

Checking for RSA private key (/etc/ipsec/ipsec.secrets)         [OK]

Checking that pluto is running                                  [FAILED]

  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)

Two or more interfaces found, checking IP forwarding            [FAILED]

  whack: is Pluto running?  connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)

Checking NAT and MASQUERADEing

Checking for 'ip' command                                       [OK]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]
```

and all i can se as error in logs are these

```
Feb 29 11:35:50 router pluto[6203]: packet from [ext-server-ip]:500: ASSERTION FAILED at ikev1_quick.c:1814: st->st_connection != NULL
```

```
Feb 29 11:35:50 router ipsec__plutorun: /usr/lib/ipsec/_plutorun: line 237:  6203 Aborted                  /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec/ipsec.secrets --ipsecdir /etc/ipsec/ipsec.d --debug-all --use-auto --uniqueids --nat_traversal --nhelpers 0

Feb 29 11:35:50 router ipsec__plutorun: !pluto failure!:  exited with error status 134 (signal 6)

Feb 29 11:35:50 router ipsec__plutorun: restarting IPsec after pause...

Feb 29 11:36:00 router rc-scripts: ERROR: wrong args ( _autorestart )

Feb 29 11:36:00 router rc-scripts: Usage: ipsec { start|stop|restart }

Feb 29 11:36:00 router rc-scripts:        ipsec without arguments for full help

Feb 29 11:40:01 router cron[6391]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons )
```

And here comes the confs:

/etc/ipsec/ipsec.conf

```
# basic configuration

config setup

        plutodebug=all

        nat_traversal=yes

        nhelpers=0

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

conn local-kp

        left=[server-ip]

        leftsubnet=192.168.0.0/24

        leftnexthop=%defaultroute

        right=[ext-server-ip]

        rightsubnet=192.168.100.0/24

        rightnexthop=%defaultroute

        authby=secret

        auto=start

        keyexchange=ike

        ikelifetime=480m

        keylife=60m

        compress=no

```

And the link seems to go up for just a short while and then go down again...

Hoping for help....   :Sad: 

----------

