<div>I have the firewall in the linux, the gateway is a router and this router don't have firewall.</div>
<div> </div>
<div>I don't see re-transmit in my logs, But I see this error en /var/log/message ipsec__plutorun: ...could not start conn "tunnelipsec"</div>
<div> </div>
<div>executing ipsec auto --status I have the following messages:</div>
<div> </div>
<div>000 interface lo/lo ::1<br>000 interface lo/lo <a href="http://127.0.0.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "127.0.0.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 127.0.0.1</a><br>000 interface eth0/eth0 <a href="http://165.98.224.82"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "165.98.224.82" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 165.98.224.82</a><br>000 interface eth1/eth1 <a href="http://172.16.1.1"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "172.16.1.1" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
172.16.1.1</a><br>000 %myid = (none)<br>000 debug none<br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
<br>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
<br>000 <br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000 <br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>000 <br>000 "DICE": <a href="http://172.16.1.0/24===165.98.224.82...165.98.236.214===172.16.26.0/24"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "172.16.1.0" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious:
172.16.1.0/24===165.98.224.82...165.98.236.214===172.16.26.0/24</a>; prospective erouted; eroute owner: #0<br>000 "DICE": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "DICE": ike_life: 7800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
<br>000 "DICE": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,24; interface: eth0; <br>000 "DICE": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 <br>000 #3: "DICE":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 39s; nodpd
<br>000 #3: pending Phase 2 for "DICE" replacing #0<br><br><br> </div>
<div><span class="gmail_quote">On 3/28/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">On Tue, 28 Mar 2006, Vida Luz Arista wrote:<br><br>> In /var/log/secure I have the follwing message:<br>
><br>> Mar 28 16:22:28 ns pluto[5175]: Could not change to directory<br>> '/etc/ipsec.d/ocspcerts'<br>> Mar 28 16:22:28 ns pluto[5175]: Could not change to directory<br>> '/etc/ipsec.d/crls'<br>> Mar 28 16:22:28 ns pluto[5175]: added connection description "tunnelipsec"
<br>> Mar 28 16:22:28 ns pluto[5175]: listening for IKE messages<br>> Mar 28 16:22:28 ns pluto[5175]: adding interface eth1/eth1 <a href="http://172.16.1.1:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "172.16.1.1:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 172.16.1.1:500</a><br>> Mar 28 16:22:28 ns pluto[5175]: adding interface eth0/eth0
<a href="http://165.98.224.82:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "165.98.224.82:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 165.98.224.82:500</a><br>> Mar 28 16:22:28 ns pluto[5175]: adding interface lo/lo <a href="http://127.0.0.1:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "127.0.0.1:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 127.0.0.1:500</a><br>> Mar 28 16:22:28 ns pluto[5175]: adding interface lo/lo ::1:500
<br>> Mar 28 16:22:28 ns pluto[5175]: loading secrets from "/etc/ipsec.secrets"<br>> Mar 28 16:22:29 ns pluto[5175]: "tunnelipsec" #1: initiating Main Mode<br><br>You should have more after this. Either an error, or a re-transmit.
<br><br>If you see a retransmit, it looks like a firewall rule somewhere blocking<br>port udp 500.<br><br>Paul<br></blockquote></div><br>