<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.0.10">
</HEAD>
<BODY>
On Tue, 2005-09-13 at 16:20, Paul Wouters wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE><FONT COLOR="#737373"><I>On Tue, 13 Sep 2005, Albert Agustí wrote:
> (openswan), but a lot of messages of QI get on the log at central site.
> Openswan sistem is unable to negotiate the tunnels (for all connections,
> log shows a lot of line like those)
>
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: max number of
> retransmissions (2) reached STATE_QUICK_I1
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: starting
> keying attempt 206 of an unlimited number
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13226: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #13194 {using isakmp#12748}
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: ignoring
> informational payload, type NO_PROPOSAL_CHOSEN
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: received and
> ignored informational message
>
It seems like the Cisco is configured more specifically then Openswan.
So when the Cisco initiates, openswan responds fine, but when openswan
rekeys or initiates, the cisco does not allow that proposal. This can
happen when the Cisco is using PFS=yes, while openswan uses PFS=no. Since
openswan always allows PFS, even if it is set to "no", but it will use
the setting in its request when sending.
So double check your configuration for such discrependancies. Also,
Openswan normally starts asking for aes, then 3des. If the Cisco just says
"no" at the first proposal, you won't be able to send it another proposal.
To avoid this issue, use the ike= and esp= lines to send the exact matching
proposal as the first proposal to the Cisco.
Paul</I></FONT></PRE>
</BLOCKQUOTE>
<BR>
Thanks a lot Paul, <BR>
<BR>
Solved only with line esp=3des in ipsec.conf al tunnel definitions, so You where right. I'm a bit surprised because I checked cisco configurations and exact routers behave different in that sense. Changed from openswan 2.2.0 to 2.3.0 (first offer).<BR>
<BR>
Were that continuos retransmissions the cause of message logs like this ? <BR>
<BR>
<FONT COLOR="#737373"><TT>can not start crypto helper: failed to find any available worker</FONT><BR>
<BR>
Best regards<BR>
Albert Agustí</TT>
<BR>
<br><br><br><font color="#333333" size="1"><b>Avís
important</b>:</font><font color="#666666"
size="1"> Aquest missatge i qualsevol fitxer adjunt contenen
informació confidencial d'ús exclusiu per al
destinatari. Si vostè ha rebut aquest correu
electrònic per error, l'informem que està
totalment prohibida la divulgació, còpia o
distribució i li preguem que ho notifiqui i que l'esborri
immediatament. Gràcies per la seva
col·laboració.</font><font
color="#333333" size="1"> <b>Aviso importante</b></font><font
color="#666666" size="1">: Este mensaje y cualquier
fichero adjunto contiene información confidencial de uso
exclusivo para el destinatario. Si usted ha recibido el mensaje por
error, le informamos que está totalmente prohibida su
divulgación, copia o distribución y le rogamos
que lo notifique y que lo borre inmediatamente. Gracias por su
colaboración</font><font size="1">. </font><font
color="#333333" size="1"><b>Important notice</b></font><font
color="#666666" size="1">: This message and any files
transmitted with it are confidential and intended solely for the
individual to whom it is addressed. Unauthorized publication, use,
dissemination, forwarding, printing or copying of this email and its
associated attachments is strictly prohibited. If you have received
this email in error, please notify the sender and delete the original
immediately. Thank you for your cooperation</font>
<BR>
</BODY>
</HTML>