<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<pre wrap="">Hi Paul
Thanks for your reply.
Yes, it is a embedded machine. We use openswan to build the VPN connection
between machine(server) and windwos XP client. We using the presharekey.
I sent you the pluto log with the "plutodebug=controlmore" config parameter.
Anything about the info i can send you, please tell me.
Thanks a lot.
<b class="moz-txt-star"><span class="moz-txt-tag">*</span>ipsec.conf
*
version 2.0
config setup
interfaces="ipsec0=eth1"
protostack=klips
klipsdebug=none
plutodebug=controlmore
uniqueids=yes
#postpluto="/ramfs/bin/ipsec_postpluto"
plutostderrlog="/var/log/pluto.log"
conn %default
type=tunnel
rightsubnet=0.0.0.0/0
auth=esp
authby=secret
disablearrivalcheck=no
dpddelay=10
dpdtimeout=15
dpdaction=clear
keyingtries=15
failureshunt=drop
keylife=24h
ikelifetime=8h
rekeymargin=10m
rekey=no
pfs=no
auto=add
#rightupdown="/ramfs/bin/ipsec_updown.exe"
#Disable Opportunistic Encryption
include ipsec.d/examples/no_oe.conf
#Include AAA User conf
include /etc/ipsec.d/conf/ipsec.*.conf
<b class="moz-txt-star"><span class="moz-txt-tag">*</span>client's config
*conn conn_10.1.1.2
right=10.1.1.1
left=10.1.1.2
esp=3DES-MD5-96
*client's secrets<span class="moz-txt-tag">*</span></b>
10.1.1.2 10.1.1.1: PSK "1234"
*ipsec whack --status<span class="moz-txt-tag">*</span></b>
000 interface ipsec0/eth1 10.1.1.1
000 %myid = (none)
000 debug controlmore
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,
keysizemax=128
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "conn_10.1.1.2": 0.0.0.0/0===10.1.1.1...10.1.1.2; unrouted; eroute owner: #0
000 "conn_10.1.1.2": srcip=unset; dstip=unset; srcup=ipsec <span
class="moz-txt-underscore"><span class="moz-txt-tag">_</span>updown;
dstup=ipsec _updown;
000 "conn_10.1.1.2": ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 600s;
rekey_fuzz: 100%; keyingtries: 15
000 "conn_10.1.1.2": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+failureDROP; prio:
32,0; interface: eth1; encap: esp;
000 "conn_10.1.1.2": dpd: action:clear; delay:10; timeout:15;
000 "conn_10.1.1.2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "conn_10.1.1.2": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "conn_10.1.1.2": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000
000 #4: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_CRYPTO_FAILED in 56s; nodpd
000 #6: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_CRYPTO_FAILED in 297s; nodpd
000 #5: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
EVENT_CRYPTO_FAILED in 177s; nodpd
_*pluto log
*_
Plutorun started on Sat Jan 1 13:03:00 UTC 2000
Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OE<span class="moz-txt-tag">_</span></span>]{vKgCoOI)
Setting NAT-Traversal port-4500 floating to off
port floating activation criteria nat_t=0/port_fload=1
including NAT-Traversal patch (Version 0.6c) [disabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper pid=4627 (fd:5)
Using KLIPS IPsec interface code on 2.6.16.26-Cavium-Octeon
Changing to directory '/etc/ipsec.d/cacerts'
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Warning: empty directory
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/etc/ipsec.d/conf/ipsec.10.1.1.2.secrets"
loading secrets from "/etc/ipsec.d/conf/ipsec.fack.secrets"
added connection description "conn_10.1.1.2"
listening for IKE messages
adding interface ipsec0/eth1 10.1.1.1:500
| connect_to_host_pair: 10.1.1.1:500 10.1.1.2:500 -> hp:none
forgetting secrets
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/etc/ipsec.d/conf/ipsec.10.1.1.2.secrets"
loading secrets from "/etc/ipsec.d/conf/ipsec.fack.secrets"
| np=1 and sd=0x1201b72d0
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 10.1.1.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
| find_host_connection called from main_inI1_outR1
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500 10.1.1.2:500 ->
hp:conn_10.1.1.2
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: responding to Main Mode
| sender checking NAT-t: 0 and 0
"conn_10.1.1.2" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"conn_10.1.1.2" #1: STATE_MAIN_R1: sent MR1, expecting MI2
| processing connection conn_10.1.1.2
| np=4 and sd=0x1201b7378
| np=10 and sd=0x1201b7420
| inI2: checking NAT-t: 0 and 0
closing helper(0) pid=4627 fd=5 exit=11
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| np=1 and sd=0x1201b72d0
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 10.1.1.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
| find_host_connection called from main_inI1_outR1
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500 10.1.1.2:500 ->
hp:conn_10.1.1.2
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: responding to Main Mode
| sender checking NAT-t: 0 and 0
"conn_10.1.1.2" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"conn_10.1.1.2" #2: STATE_MAIN_R1: sent MR1, expecting MI2
| processing connection conn_10.1.1.2
| np=4 and sd=0x1201b7378
| np=10 and sd=0x1201b7420
| inI2: checking NAT-t: 0 and 0
"conn_10.1.1.2" #2: started helper pid=4715 (fd:5)
"conn_10.1.1.2" #2: forgetting secrets
closing helper(0) pid=4715 fd=5 exit=11
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #2: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| np=1 and sd=0x1201b72d0
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 10.1.1.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
| find_host_connection called from main_inI1_outR1
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500 10.1.1.2:500 ->
hp:conn_10.1.1.2
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: responding to Main Mode
| sender checking NAT-t: 0 and 0
"conn_10.1.1.2" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"conn_10.1.1.2" #3: STATE_MAIN_R1: sent MR1, expecting MI2
| processing connection conn_10.1.1.2
| np=4 and sd=0x1201b7378
| np=10 and sd=0x1201b7420
| inI2: checking NAT-t: 0 and 0
"conn_10.1.1.2" #3: forgetting secrets
"conn_10.1.1.2" #3: started helper pid=4729 (fd:5)
closing helper(0) pid=4729 fd=5 exit=11
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #3: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
| processing connection conn_10.1.1.2
| processing connection conn_10.1.1.2
| np=1 and sd=0x1201b72d0
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
| np=13 and sd=0x1201b7468
packet from 10.1.1.2:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
packet from 10.1.1.2:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 10.1.1.2:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 10.1.1.2:500: ignoring Vendor ID payload [Vid-Initial-Contact]
| find_host_connection called from main_inI1_outR1
| find_host_pair: comparing to 10.1.1.1:500 10.1.1.2:500
| find_host_pair_conn (find_host_connection2): 10.1.1.1:500 10.1.1.2:500 ->
hp:conn_10.1.1.2
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #4: responding to Main Mode
| sender checking NAT-t: 0 and 0
"conn_10.1.1.2" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"conn_10.1.1.2" #4: STATE_MAIN_R1: sent MR1, expecting MI2
| processing connection conn_10.1.1.2
| np=4 and sd=0x1201b7378
| np=10 and sd=0x1201b7420
| inI2: checking NAT-t: 0 and 0
"conn_10.1.1.2" #4: forgetting secrets
"conn_10.1.1.2" #4: started helper pid=4742 (fd:5)
closing helper(0) pid=4742 fd=5 exit=11
| processing connection conn_10.1.1.2
"conn_10.1.1.2" #4: discarding packet received during asynchronous work (DNS or
crypto) in STATE_MAIN_R1
Paul Wouters 提到:
> On Tue, 14 Aug 2007, mix wrote:
>
>
>> Subject: Re: [Openswan Users] When i try to build a IPSec connection,
>> i got EVENT_CRYPTO_FAILED and discarding packet received during
>> asynchronous work (DNS or crypto) in STATE_MAIN_R1
>>
>> Hi Pual
>> I am using kernel 2.6.16.26 with openswan 2.4.9 compiled with MIPS64.
>>
>> I have test in X86 and that ok.
>> But in Mips64, i got this problem with the same config.
>>
>
> Ahhh. We don't have a mips64. Is this a slow embedded machine?
>
> Can you enable plutodebug=controlmore and restart openswan and try the
> tunnel again, then mail us the log?
>
> Paul
>
>
> </pre>
</body>
</html>