Hi Paul,<br>
<br>
Finally I got my ipsec tunnel established. phew !!!! <br>
<br>
But this time used 2.6.9 and 2.6.10 fedora systems and both ISAKMP & IPSEC SA got established without a hitch.<br>
<br>
======================================================================================<br>
<br>
000 "calvin": <a href="http://172.22.65.0/24===172.22.65.226...172.22.65.56===172.22.65.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "172.22.65.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 172.22.65.0/24===172.22.65.226...172.22.65.56===172.22.65.0/24</a>; erouted; eroute owner: #2<br>
000 "calvin": srcip=unset; dstip=unset<br>
000 "calvin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "calvin": policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface: eth0;<br>
000 "calvin": newest ISAKMP SA: #1; newest IPsec SA: #2;<br>
000 "calvin": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536<br>
000<br>
000 #2: "calvin":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28032s; newest IPSEC; eroute owner<br>
000 #2: "calvin" <a href="mailto:esp.c7631a0d@172.22.65.56">esp.c7631a0d@172.22.65.56</a> <a href="mailto:esp.5a182207@172.22.65.226">esp.5a182207@172.22.65.226</a> <a href="mailto:tun.0@172.22.65.56">tun.0@172.22.65.56
</a> <a href="mailto:tun.0@172.22.65.226">tun.0@172.22.65.226</a><br>
000 #1: "calvin":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2832s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)<br>
000<br>
======================================================================================<br>
Thanks<br>
Aheesh<br>
<br>
<br><br><div><span class="gmail_quote">On 1/11/06, <b class="gmail_sendername">aheesh nagraj</b> <<a href="mailto:aheesh@gmail.com">aheesh@gmail.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi paul,<br>
<br>
I changed the system i was using and now m using a fedora 2.6.5 and a
2.6.10 sys and now its able to create a isakmp SA, but getting stuck at quick mode as seen below.<br>
<br>
Thanks,<br>
Aheesh<br>
<br>
P.S. : I fail to understand why my previous attempts with a 2.6.10 and a 2.6.9 Fedora were resulting in rsa wrong key? error.<br>
<br>
==================================================================<br>
[root@DT345 root]# ipsec auto --up wind<br>
104 "wind" #1: STATE_MAIN_I1: initiate<br>
003 "wind" #1: received Vendor ID payload [Openswan (this version)
2.3.1 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]<br>
003 "wind" #1: received Vendor ID payload [Dead Peer Detection]<br>
106 "wind" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>
108 "wind" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>
004 "wind" #1: STATE_MAIN_I4: ISAKMP SA established<br>
117 "wind" #2: STATE_QUICK_I1: initiate<br>
003 "wind" #2: ERROR: netlink response for Add SA <a href="mailto:esp.951111a8@172.22.67.104" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.951111a8@172.22.67.104</a> included errno 38: Function not implemented
<br>
032 "wind" #2: STATE_QUICK_I1: internal error<br>
003 "wind" #2: ERROR: netlink response for Add SA <a href="mailto:esp.951111a8@172.22.67.104" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.951111a8@172.22.67.104</a> included errno 38: Function not implemented
<br>
032 "wind" #2: STATE_QUICK_I1: internal error<br>
010 "wind" #2: STATE_QUICK_I1: retransmission; will wait 20s for response<br>
003 "wind" #2: ERROR: netlink response for Add SA <a href="mailto:esp.951111a8@172.22.67.104" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.951111a8@172.22.67.104</a> included errno 38: Function not implemented
<br>
032 "wind" #2: STATE_QUICK_I1: internal error<br>
010 "wind" #2: STATE_QUICK_I1: retransmission; will wait 40s for response<br>
003 "wind" #2: ERROR: netlink response for Add SA <a href="mailto:esp.951111a8@172.22.67.104" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">esp.951111a8@172.22.67.104</a> included errno 38: Function not implemented
<br>
032 "wind" #2: STATE_QUICK_I1: internal error<br>
031 "wind" #2: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal<br>
000 "wind" #2: starting keying attempt 2 of an unlimited number, but releasing whack<br>
<br>====================================================================<div><span class="e" id="q_108b8521467e0043_1"><br>
<br>
<br><div><span class="gmail_quote">On 1/10/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">paul@xelerance.com
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Tue, 10 Jan 2006, aheesh nagraj wrote:<br><br>> I have 2 fedora 2.6 systmes with openswan-2.3.1 installed.<br><br>yum update to get openswan-2.4.x<br><br>> Jan 10 12:39:02 aheesh_sys pluto[3787]: "net-to-net" #97: Signature check
<br>> (on <a href="http://172.22.67.104" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "172.22.67.104" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 172.22.67.104</a>) failed (wrong key?); tried *AQOaBoHjT<br><br>You eithe raccidentally switcheft left/rightrsasigkey= or you made a cut and
<br>paste error, or you are just using the wrong public keys. Run ipsec showhostkey --left
<br>on one end and ipsec showhostkey --right on the other end tr yagain.<br><br>Paul<br></blockquote></div><br>
</span></div></blockquote></div><br>