<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Paul<br>
<br>
Thanks for your reply.<br>
Yes, it is a embedded machine. We use openswan to build the VPN
connection between machine(server) and windwos XP client. We using the
presharekey.<br>
I sent you the pluto log with the "plutodebug=controlmore" config
parameter.<br>
Anything about the info i can send you, please tell me.<br>
Thanks a lot.<br>
<br>
<b><big><big><big>ipsec.conf<br>
</big></big></big></b><br>
version 2.0<br>
<br>
config setup<br>
interfaces="ipsec0=eth1"<br>
protostack=klips<br>
klipsdebug=none<br>
plutodebug=controlmore<br>
uniqueids=yes<br>
#postpluto="/ramfs/bin/ipsec_postpluto"<br>
plutostderrlog="/var/log/pluto.log"<br>
<br>
conn %default<br>
type=tunnel<br>
rightsubnet=0.0.0.0/0<br>
auth=esp<br>
authby=secret<br>
disablearrivalcheck=no<br>
dpddelay=10<br>
dpdtimeout=15<br>
dpdaction=clear<br>
keyingtries=15<br>
failureshunt=drop<br>
keylife=24h<br>
ikelifetime=8h<br>
rekeymargin=10m<br>
rekey=no<br>
pfs=no<br>
auto=add<br>
#rightupdown="/ramfs/bin/ipsec_updown.exe"<br>
<br>
#Disable Opportunistic Encryption<br>
include ipsec.d/examples/no_oe.conf<br>
#Include AAA User conf<br>
include /etc/ipsec.d/conf/ipsec.*.conf<br>
<br>
<big><b><big><big>client's config<br>
</big></big></b></big>conn conn_10.1.1.2<br>
right=10.1.1.1<br>
left=10.1.1.2<br>
esp=3DES-MD5-96<br>
<br>
<b><big><big><big>client's secrets</big></big></big></b><br>
10.1.1.2 10.1.1.1: PSK "1234"<br>
<br>
<b><big><big><big>ipsec whack --status</big></big></big></b><br>
<br>
000 interface ipsec0/eth1 10.1.1.1<br>
000 %myid = (none)<br>
000 debug controlmore<br>
000<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=192, keysizemax=192<br>
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0<br>
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256<br>
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160<br>
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128<br>
000<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192<br>
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128<br>
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>
000<br>
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}<br>
000<br>
000 "conn_10.1.1.2": 0.0.0.0/0===10.1.1.1...10.1.1.2; unrouted; eroute
owner: #0<br>
000 "conn_10.1.1.2": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;<br>
000 "conn_10.1.1.2": ike_life: 28800s; ipsec_life: 86400s;
rekey_margin: 600s; rekey_fuzz: 100%; keyingtries: 15<br>
000 "conn_10.1.1.2": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+failureDROP; prio: 32,0; interface: eth1;
encap: esp;<br>
000 "conn_10.1.1.2": dpd: action:clear; delay:10; timeout:15;<br>
000 "conn_10.1.1.2": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>
000 "conn_10.1.1.2": ESP algorithms wanted: 3DES(3)_000-MD5(1);
flags=strict<br>
000 "conn_10.1.1.2": ESP algorithms loaded: 3DES(3)_000-MD5(1);
flags=strict<br>
000<br>
000 #4: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_CRYPTO_FAILED in 56s; nodpd<br>
000 #6: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_CRYPTO_FAILED in 297s; nodpd<br>
000 #5: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_CRYPTO_FAILED in 177s; nodpd<br>
<br>
<br>
<br>
<big><big><big><u><b>pluto log<br>
</b></u></big></big></big><br>
Plutorun started on Sat Jan 1 13:03:00 UTC 2000<br>
Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)<br>
Setting NAT-Traversal port-4500 floating to off<br>
port floating activation criteria nat_t=0/port_fload=1<br>
including NAT-Traversal patch (Version 0.6c) [disabled]<br>
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>
starting up 1 cryptographic helpers<br>
started helper pid=4627 (fd:5)<br>
Using KLIPS IPsec interface code on 2.6.16.26-Cavium-Octeon<br>
Changing to directory '/etc/ipsec.d/cacerts'<br>
Changing to directory '/etc/ipsec.d/aacerts'<br>
Changing to directory '/etc/ipsec.d/ocspcerts'<br>
Changing to directory '/etc/ipsec.d/crls'<br>
Warning: empty directory<br>
loading secrets from "/etc/ipsec.secrets"<br>
loading secrets from "/etc/ipsec.d/conf/ipsec.10.1.1.2.secrets"<br>
loading secrets from "/etc/ipsec.d/conf/ipsec.fack.secrets"<br>
added connection description "conn_10.1.1.2"<br>
listening for IKE messages<br>
adding interface ipsec0/eth1 10.1.1.1:500<br>
| connect_to_host_pair: 10.1.1.1:500 10.1.1.2:500 -> hp:none <br>
forgetting secrets<br>
loading secrets from "/etc/ipsec.secrets"<br>
loading secrets from "/etc/ipsec.d/conf/ipsec.10.1.1.2.secrets"<br>
loading secrets from "/etc/ipsec.d/conf/ipsec.fack.secrets"<br>
| np=1 and sd=0x1201b72d0 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]<br>
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<br>
| find_host_connection called from main_inI1_outR1<br>
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500 <br>
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500
10.1.1.2:500 -> hp:conn_10.1.1.2 <br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: responding to Main Mode<br>
| sender checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
"conn_10.1.1.2" #1: STATE_MAIN_R1: sent MR1, expecting MI2<br>
| processing connection conn_10.1.1.2<br>
| np=4 and sd=0x1201b7378 <br>
| np=10 and sd=0x1201b7420 <br>
| inI2: checking NAT-t: 0 and 0<br>
closing helper(0) pid=4627 fd=5 exit=11<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #1: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| np=1 and sd=0x1201b72d0 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]<br>
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<br>
| find_host_connection called from main_inI1_outR1<br>
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500 <br>
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500
10.1.1.2:500 -> hp:conn_10.1.1.2 <br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: responding to Main Mode<br>
| sender checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
"conn_10.1.1.2" #2: STATE_MAIN_R1: sent MR1, expecting MI2<br>
| processing connection conn_10.1.1.2<br>
| np=4 and sd=0x1201b7378 <br>
| np=10 and sd=0x1201b7420 <br>
| inI2: checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #2: started helper pid=4715 (fd:5)<br>
"conn_10.1.1.2" #2: forgetting secrets<br>
closing helper(0) pid=4715 fd=5 exit=11<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #2: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| np=1 and sd=0x1201b72d0 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]<br>
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<br>
| find_host_connection called from main_inI1_outR1<br>
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500 <br>
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500
10.1.1.2:500 -> hp:conn_10.1.1.2 <br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: responding to Main Mode<br>
| sender checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
"conn_10.1.1.2" #3: STATE_MAIN_R1: sent MR1, expecting MI2<br>
| processing connection conn_10.1.1.2<br>
| np=4 and sd=0x1201b7378 <br>
| np=10 and sd=0x1201b7420 <br>
| inI2: checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #3: forgetting secrets<br>
"conn_10.1.1.2" #3: started helper pid=4729 (fd:5)<br>
closing helper(0) pid=4729 fd=5 exit=11<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #3: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
| processing connection conn_10.1.1.2<br>
| processing connection conn_10.1.1.2<br>
| np=1 and sd=0x1201b72d0 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
| np=13 and sd=0x1201b7468 <br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5
ISAKMPOAKLEY 00000004]<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]<br>
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off<br>
packet from 10.1.1.2:500: ignoring Vendor ID payload
[Vid-Initial-Contact]<br>
| find_host_connection called from main_inI1_outR1<br>
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500 <br>
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500
10.1.1.2:500 -> hp:conn_10.1.1.2 <br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #4: responding to Main Mode<br>
| sender checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #4: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1<br>
"conn_10.1.1.2" #4: STATE_MAIN_R1: sent MR1, expecting MI2<br>
| processing connection conn_10.1.1.2<br>
| np=4 and sd=0x1201b7378 <br>
| np=10 and sd=0x1201b7420 <br>
| inI2: checking NAT-t: 0 and 0<br>
"conn_10.1.1.2" #4: forgetting secrets<br>
"conn_10.1.1.2" #4: started helper pid=4742 (fd:5)<br>
closing helper(0) pid=4742 fd=5 exit=11<br>
| processing connection conn_10.1.1.2<br>
"conn_10.1.1.2" #4: discarding packet received during asynchronous work
(DNS or crypto) in STATE_MAIN_R1<br>
<br>
<br>
Paul Wouters 提到:
<blockquote
cite="mid:Pine.LNX.4.64.0708141219390.10631@newtla.xelerance.com"
type="cite">
<pre wrap="">On Tue, 14 Aug 2007, mix wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Subject: Re: [Openswan Users] When i try to build a IPSec connection,
i got EVENT_CRYPTO_FAILED and discarding packet received during
asynchronous work (DNS or crypto) in STATE_MAIN_R1
Hi Pual
I am using kernel 2.6.16.26 with openswan 2.4.9 compiled with MIPS64.
I have test in X86 and that ok.
But in Mips64, i got this problem with the same config.
</pre>
</blockquote>
<pre wrap=""><!---->
Ahhh. We don't have a mips64. Is this a slow embedded machine?
Can you enable plutodebug=controlmore and restart openswan and try the
tunnel again, then mail us the log?
Paul
</pre>
</blockquote>
<br>
</body>
</html>