<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-2">
<META content="MSHTML 6.00.2900.2963" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>Hi there im
trying to setup a tunnel to cisco pix (i dont know type exactly i dont have
direct access to it ). Everything looks good, tunnel goes up but after some time
i got this:<BR><BR>heres complete log after ipsec restart<BR>Oct 12 14:36:48
gate ipsec__plutorun: Starting Pluto subsystem...<BR>Oct 12 14:36:48 gate
pluto[10954]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4
PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)<BR>Oct 12
14:36:48 gate pluto[10954]: Setting NAT-Traversal port-4500 floating to
off<BR>Oct 12 14:36:48 gate pluto[10954]: port floating activation criteria
nat_t=0/port_fload=1<BR>Oct 12 14:36:48 gate pluto[10954]: including
NAT-Traversal patch (Version 0.6c) [disabled]<BR>Oct 12 14:36:48 gate
pluto[10954]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying
alternate sources of random<BR>Oct 12 14:36:48 gate pluto[10954]: WARNING: Using
/dev/urandom as the source of random<BR>Oct 12 14:36:48 gate pluto[10954]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>Oct 12 14:36:48
gate pluto[10954]: starting up 1 cryptographic helpers<BR>Oct 12 14:36:48 gate
pluto[10955]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying
alternate sources of random<BR>Oct 12 14:36:48 gate pluto[10955]: WARNING: Using
/dev/urandom as the source of random<BR>Oct 12 14:36:48 gate pluto[10954]:
started helper pid=10955 (fd:5)<BR>Oct 12 14:36:48 gate pluto[10954]: Using
KLIPS IPsec interface code on 2.4.32<BR>Oct 12 14:36:48 gate pluto[10954]:
Changing to directory '/etc/ipsec.d/cacerts'<BR>Oct 12 14:36:48 gate
pluto[10954]: Changing to directory '/etc/ipsec.d/aacerts'<BR>Oct 12 14:36:48
gate pluto[10954]: Changing to directory '/etc/ipsec.d/ocspcerts'<BR>Oct 12
14:36:48 gate pluto[10954]: Changing to directory '/etc/ipsec.d/crls'<BR>Oct 12
14:36:48 gate pluto[10954]: Warning: empty directory<BR>Oct 12 14:36:48 gate
pluto[10954]: added connection description "cross-rsd"<BR>Oct 12 14:36:48 gate
pluto[10954]: listening for IKE messages<BR>Oct 12 14:36:48 gate pluto[10954]:
adding interface ipsec0/eth0 ddd.ccc.bbb.aaa:500<BR>Oct 12 14:36:48 gate
pluto[10954]: loading secrets from "/etc/ipsec.secrets"<BR>Oct 12 14:36:48 gate
pluto[10954]: "cross-rsd" #6: initiating Main Mode<BR>Oct 12 14:36:48 gate
pluto[10954]: "cross-rsd" #6: ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7de7f00d6c2d3c0000000]<BR>Oct 12 14:36:48 gate pluto[10954]:
"cross-rsd" #6: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2<BR>Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6:
STATE_MAIN_I2: sent MI2, expecting MR2<BR>Oct 12 14:36:48 gate pluto[10954]:
"cross-rsd" #6: received Vendor ID payload [Cisco-Unity]<BR>Oct 12 14:36:48 gate
pluto[10954]: "cross-rsd" #6: received Vendor ID payload [XAUTH]<BR>Oct 12
14:36:48 gate pluto[10954]: "cross-rsd" #6: ignoring unknown Vendor ID payload
[de00053fa3079c3e67cf9f6ebec00f96]<BR>Oct 12 14:36:48 gate pluto[10954]:
"cross-rsd" #6: ignoring Vendor ID payload [Cisco VPN 3000 Series]<BR>Oct 12
14:36:48 gate pluto[10954]: "cross-rsd" #6: I did not send a certificate because
I do not have one.<BR>Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>Oct 12 14:36:48
gate pluto[10954]: "cross-rsd" #6: STATE_MAIN_I3: sent MI3, expecting MR3<BR>Oct
12 14:36:48 gate pluto[10954]: "cross-rsd" #6: received Vendor ID payload [Dead
Peer Detection]<BR>Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: Main mode
peer ID is ID_FQDN: '@rightsecret'<BR>Oct 12 14:36:48 gate pluto[10954]:
"cross-rsd" #6: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4<BR>Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5<BR>Oct 12 14:36:48 gate pluto[10954]:
"cross-rsd" #6: Dead Peer Detection (RFC 3706): enabled<BR>Oct 12 14:36:48 gate
pluto[10954]: "cross-rsd" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#6}<BR>Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #7: Dead Peer
Detection (RFC 3706): enabled<BR>Oct 12 14:36:48 gate pluto[10954]: "cross-rsd"
#7: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>Oct 12
14:36:48 gate pluto[10954]: "cross-rsd" #7: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x45d1a653 <0x6470eff9 xfrm=3DES_0-HMAC_MD5
NATD=none<BR>Oct 12 15:07:17 gate pluto[10954]: "cross-rsd" #6: received Delete
SA payload: deleting ISAKMP State #6<BR>Oct 12 15:07:17 gate pluto[10954]:
packet from aaa.bbb.ccc.ddd:500: received and ignored informational
message<BR>Oct 12 15:07:17 gate pluto[10954]: packet from aaa.bbb.ccc.ddd:500:
Informational Exchange is for an unknown (expired?) SA<BR>Oct 12 15:07:21 gate
pluto[10954]: "cross-rsd" #7: DPD: Serious: could not find newest phase 1
state<BR><BR>my ipsec.conf<BR>-----------------<BR>version 2.0<BR>config
setup<BR> nat_traversal=no<BR>conn
%default<BR> keyingtries=0<BR> dpddelay=30<BR> dpdtimeout=120<BR> dpdaction=restart<BR>conn
cross-rsd<BR> left=ddd.ccc.bbb.aaa<BR> leftsubnet=172.31.193.0/24<BR> leftid=@leftsecret<BR> right=aaa.bbb.ccc.ddd<BR> rightid=@rightsecret<BR> rightsubnet=192.168.0.0/16<BR> pfs=no<BR> authby=secret<BR> auto=start<BR>include
/etc/ipsec.d/examples/no_oe.conf<BR><BR>ipsec.secrets<BR>-----------------<BR>@lefsecret
@rightsecret : PSK "top secret"<BR><BR>After conn is estabilished whack lists
this:<BR>000 #3: "cross-rsd":500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE_IF_USED in 28011s; newest IPSEC; eroute
owner<BR>000 #3: "cross-rsd" </FONT><A
href="http://email.seznam.cz/newMessageScreen?sessionId=&to=mailto:esp.d74f1a0e@aaa.bbb.ccc.ddd"><FONT
face="Times New Roman" size=3>esp.d74f1a0e@aaa.bbb.ccc.ddd</FONT></A><FONT
face="Times New Roman" size=3> </FONT><A
href="http://email.seznam.cz/newMessageScreen?sessionId=&to=mailto:esp.1a930e84@ddd.ccc.bbb.aaa"><FONT
face="Times New Roman" size=3>esp.1a930e84@ddd.ccc.bbb.aaa</FONT></A><FONT
face="Times New Roman" size=3> </FONT><A
href="http://email.seznam.cz/newMessageScreen?sessionId=&to=mailto:tun.1002@aaa.bbb.ccc.ddd"><FONT
face="Times New Roman" size=3>tun.1002@aaa.bbb.ccc.ddd</FONT></A><FONT
face="Times New Roman" size=3> </FONT><A
href="http://email.seznam.cz/newMessageScreen?sessionId=&to=mailto:tun.1001@ddd.ccc.bbb.aaa"><FONT
face="Times New Roman" size=3>tun.1001@ddd.ccc.bbb.aaa</FONT></A><FONT
face="Times New Roman" size=3> <BR>000 #1: "cross-rsd":500 STATE_MAIN_I4 (ISAKMP
SA established); EVENT_SA_REPLACE_IF_USED in 2740s; newest ISAKMP;
lastdpd=-1s(seq in:0 out:0)<BR><BR>What is EVENT_SA_REPLACE_IF_USED ?<BR>Thaks
for any advice.<BR>Orrie</FONT><BR></FONT></DIV></BODY></HTML>