<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<div class="moz-text-flowed"
style="font-family: -moz-fixed; font-size: 13px;" lang="x-unicode">Hi
Paul
<br>
<br>
I add the nhelpers=0 and restart the openswan process.
<br>
When i active the windows IPSec rule. After few seconds, the openswan
will restart itself.(if i remove the nhelpers config, openswan won't
restart itself.)
<br>
And still can not build the IPSec connection.
<br>
<br>
my ipsec.conf
<br>
<br>
version 2.0
<br>
<br>
config setup
<br>
interfaces="ipsec0=eth0"
<br>
protostack=klips
<br>
klipsdebug=none
<br>
plutodebug=all
<br>
plutostderrlog=/var/log/pluto.log
<br>
uniqueids=yes
<br>
nhelpers=0
<br>
#postpluto="/ramfs/bin/ipsec_postpluto"
<br>
<br>
conn %default
<br>
type=tunnel
<br>
rightsubnet=0.0.0.0/0
<br>
auth=esp
<br>
authby=secret
<br>
disablearrivalcheck=no
<br>
dpddelay=10
<br>
dpdtimeout=15
<br>
dpdaction=clear
<br>
keyingtries=15
<br>
failureshunt=drop
<br>
keylife=24h
<br>
ikelifetime=8h
<br>
rekeymargin=10m
<br>
rekey=no
<br>
pfs=no
<br>
auto=add
<br>
#rightupdown="/ramfs/bin/ipsec_updown.exe"
<br>
<br>
#Disable Opportunistic Encryption
<br>
include ipsec.d/examples/no_oe.conf
<br>
#Include AAA User conf
<br>
include /etc/ipsec.d/conf/ipsec.*.conf
<br>
<br>
Best Regard.
<br>
<br>
Paul Wouters 提到:
<br>
<blockquote type="cite">On Mon, 13 Aug 2007, mix wrote:
<br>
<br>
Try adding nhelpers=0 to "config setup".
<br>
<br>
Paul
<br>
<br>
<blockquote type="cite">Date: Mon, 13 Aug 2007 16:08:39 +0800
<br>
From: mix <a class="moz-txt-link-rfc2396E"
href="mailto:mix@cipherium.com.tw"><mix@cipherium.com.tw></a>
<br>
To: <a class="moz-txt-link-rfc2396E" href="mailto:users@openswan.org"><users@openswan.org></a>,
mix <a class="moz-txt-link-rfc2396E" href="mailto:mix@cipherium.com.tw"><mix@cipherium.com.tw></a>
<br>
Subject: [Openswan Users] When i try to build a IPSec connection,
<br>
i got EVENT_CRYPTO_FAILED and discarding packet received during
<br>
asynchronous work (DNS or crypto) in STATE_MAIN_R1
<br>
<br>
<br>
*Hello guys
<br>
<br>
I got a problem that can not resolve.
<br>
When i try to build a IPSec connection with kernel 2.6.16.26 / openswan
2.4.9
<br>
I got a EVENT_CRYPTO_FAILED, and don't know how to make it work.
<br>
Can someone help me how to do?
<br>
<br>
My network topology
<br>
windows client (IP 10.1.1.2/255.255.255.0) ----- linux with openswan
<br>
2.4.9(10.1.1.1/255.255.255.0 eth1) ------ 192.168.5.228(eth0) -------
gw -------
<br>
internet
<br>
<br>
<br>
Many thanks.
<br>
<br>
message from ipsec whack --status*
<br>
<br>
000 interface ipsec0/eth1 10.1.1.1
<br>
000 %myid = (none)
<br>
000 debug
<br>
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
<br>
000
<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192,
<br>
keysizemax=192
<br>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128,
<br>
keysizemax=256
<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128,
<br>
keysizemax=128
<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
<br>
keysizemin=160, keysizemax=160
<br>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128,
<br>
keysizemax=128
<br>
000
<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
<br>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
bits=2048
<br>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072
<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
bits=4096
<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
bits=6144
<br>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
bits=8192
<br>
000
<br>
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0}
<br>
attrs={0,0,0}
<br>
000
<br>
000 "conn_10.1.1.2": 0.0.0.0/0===10.1.1.1...10.1.1.2; unrouted; eroute
owner: #0
<br>
000 "conn_10.1.1.2": srcip=unset; dstip=unset; srcup=ipsec _updown;
<br>
dstup=ipsec _updown;
<br>
000 "conn_10.1.1.2": ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 600s;
<br>
rekey_fuzz: 100%; keyingtries: 15
<br>
000 "conn_10.1.1.2": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+failureDROP; prio:
<br>
32,0; interface: eth1; encap: esp;
<br>
000 "conn_10.1.1.2": dpd: action:clear; delay:10; timeout:15;
<br>
000 "conn_10.1.1.2": newest ISAKMP SA: #0; newest IPsec SA: #0;
<br>
000 "conn_10.1.1.2": ESP algorithms wanted: 3DES(3)_000-MD5(1);
flags=strict
<br>
000 "conn_10.1.1.2": ESP algorithms loaded: 3DES(3)_000-MD5(1);
flags=strict
<br>
000
<br>
000 #3: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
<br>
<b class="moz-txt-star"><span class="moz-txt-tag">*</span>EVENT_CRYPTO_FAILED<span
class="moz-txt-tag">*</span></b> in 245s; nodpd
<br>
000 #1: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
<br>
<b class="moz-txt-star"><span class="moz-txt-tag">*</span>EVENT_CRYPTO_FAILED<span
class="moz-txt-tag">*</span></b> in 44s; nodpd
<br>
<br>
<br>
<b class="moz-txt-star"><span class="moz-txt-tag">*</span>message
from pluto debug log<span class="moz-txt-tag">*</span></b>
<br>
<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or
<br>
crypto) in STATE_MAIN_R1
<br>
| next event EVENT_PENDING_PHASE2 in 92 seconds
<br>
|
<br>
| *received 184 bytes from 10.1.1.2:500 on eth1 (port=500)
<br>
| 3e 60 3a 91 56 e2 e1 d1 31 8a 2a d1 77 81 d3 90
<br>
| 04 10 02 00 00 00 00 00 00 00 00 b8 0a 00 00 84
<br>
| 6c 52 0f 65 6d ca 04 e2 e5 31 0c 56 13 67 5f 4b
<br>
| 80 44 36 d0 6f fd 98 50 94 64 97 02 b2 3f 29 c8
<br>
| b5 6d 4c 45 80 ce 6f 49 7c eb 8c cc 1f 8b 84 26
<br>
| a7 65 a8 97 65 f9 5c fa 99 09 e7 f7 b6 f9 76 0f
<br>
| 02 66 5d 2c 76 3a 47 2c b5 89 8c f7 f8 4e 83 3d
<br>
| 43 0b 47 83 bc fa 35 0a b9 fb 0d 71 22 70 90 36
<br>
| 15 22 e9 a8 17 62 66 1f 46 a2 09 66 ac fc 3c 49
<br>
| a2 b6 b6 bb 68 0c d7 e0 c6 a9 d5 00 ba 0a 81 33
<br>
| 00 00 00 18 da 62 08 ce ec 19 7c db ec da 12 51
<br>
| f0 b3 e0 8a be 25 03 61
<br>
| **parse ISAKMP Message:
<br>
| initiator cookie:
<br>
| 3e 60 3a 91 56 e2 e1 d1
<br>
| responder cookie:
<br>
| 31 8a 2a d1 77 81 d3 90
<br>
| next payload type: ISAKMP_NEXT_KE
<br>
| ISAKMP version: ISAKMP Version 1.0
<br>
| exchange type: ISAKMP_XCHG_IDPROT
<br>
| flags: none
<br>
| message ID: 00 00 00 00
<br>
| length: 184
<br>
| processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
<br>
| ICOOKIE: 3e 60 3a 91 56 e2 e1 d1
<br>
| RCOOKIE: 31 8a 2a d1 77 81 d3 90
<br>
| peer: 0a 01 01 02
<br>
| state hash entry 14
<br>
| peer and cookies match on #1, provided msgid 00000000 vs 00000000
<br>
| state object #1 found, in STATE_MAIN_R1
<br>
| processing connection conn_10.1.1.2
<br>
<br>
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
<br>
</div>
</body>
</html>