<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3314" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=313342822-15042008>Hi !</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=313342822-15042008> The pix configuration that you
have provided is incomplete - from the logs on the linux box - it seems phaseI
is established and phaseII is not negotiated due to conflict / disagreement on
encryption.</SPAN></FONT><FONT face=Arial color=#0000ff size=2><SPAN
class=313342822-15042008>Your access list for interesting vpn traffic on the
pix reads</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff size=2><SPAN
class=313342822-15042008>"<FONT color=#000000 size=3>access-list COMPANY
extended permit ip 10.64.98.0 255.255.255.0 192.168.40.0 255.255.255.0
"</FONT></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=313342822-15042008><FONT
color=#000000 size=3></FONT></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=313342822-15042008><FONT
color=#000000 size=3><FONT color=#0000ff size=2> IMO - it should
read</FONT></FONT></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=313342822-15042008><FONT
color=#000000 size=3>access-list COMPANY extended permit ip 192.168.40.0
255.255.255.0 10.64.98.0 255.255.255.0 </FONT></SPAN></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=313342822-15042008><FONT
color=#000000 size=3></FONT></SPAN></FONT> </DIV>
<DIV><FONT face=Arial color=#0000ff size=2><SPAN class=313342822-15042008><FONT
color=#000000 size=3><FONT color=#0000ff size=2>"show run crypto" on the pix
would provide more details on the
configuration</FONT></DIV></FONT></SPAN></FONT>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV>
<DIV align=left><FONT face=Arial><FONT size=2><SPAN class=313342822-15042008>-
</SPAN>Simon Charles<SPAN class=313342822-15042008> -
</SPAN></FONT></FONT></DIV>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV></DIV>
<DIV> </DIV>
<DIV align=left>
<DIV align=left><FONT face=Arial size=2></FONT></DIV></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Richard
Witt<BR><B>Sent:</B> Tuesday, April 15, 2008 5:14 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] error connecting to
pix<BR></FONT><BR></DIV>
<DIV></DIV>I am having problems connecting openswan (Linux Openswan
U2.4.7/K2.6.22) to a pix (7.2(2)) <BR>I have been googling all day long and
have not found anything to help me out here.<BR><BR>Below is the session and
the error from the openswan box:<BR><BR><PRE>Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: initiating Main Mode
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: STATE_MAIN_I2: sent MI2, expecting MR2
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Vendor ID payload [Cisco-Unity]
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Vendor ID payload [XAUTH]
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring unknown Vendor ID payload [0dd6ff8b11b02ade5b80c4f5c57944be]
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: I did not send a certificate because I do not have one.
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Vendor ID payload [Dead Peer Detection]
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1763: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1762}
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received and ignored informational message
Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Delete SA payload: deleting ISAKMP State #1762
</PRE>Now the error from the pix:<BR><BR><PRE>Apr 15 13:27:39 [IKEv1]: Group = 216.52.180.242, IP = 216.52.180.242, QM FSM error (P2 struct &0x2a9a0e8, mess id 0x144e2c86)!
Apr 15 13:27:39 [IKEv1]: Group = 216.52.180.242, IP = 216.52.180.242, Removing peer from correlator table failed, no match!
</PRE><BR><BR>>From the errors given it seems that there is something wrong
on one side or the other. We have double checked these many times.<BR>Was
hoping someone else could shed some light on this. <BR><BR>Below is the
openswan config relative to this connection: <PRE>
conn someother_company
leftid=xxx.xxx.180.242
leftsubnet=10.64.98.0/24
right=xxx.xxx.137.116
rightsubnet=192.168.40.0/24
authby=secret
auto=start
pfs=no
ike=3des-md5-modp1024
esp=3des-md5
</PRE>And below is the relevant config from the pix<BR><BR><PRE>access-list COMPANY extended permit ip 10.64.98.0 255.255.255.0 192.168.40.0 255.255.255.0
access-list INSIDE extended permit tcp host 192.168.40.29 eq 4000 host 10.64.98.12 gt 1023
access-list INSIDE extended permit tcp host 192.168.40.27 eq 4000 host 10.64.98.12 gt 1023
access-list INSIDE extended permit tcp host 192.168.40.29 eq 30229 host 10.64.98.12 gt 1023
access-list INSIDE extended permit tcp host 192.168.40.27 eq 30229 host 10.64.98.12 gt 1023
crypto ipsec transform-set PEN esp-3des esp-md5-hmac
crypto map prodvpn1 82 match address COMPANY
crypto map prodvpn1 82 set peer xxx.xxx.180.242
crypto map prodvpn1 82 set transform-set PEN
tunnel-group xxx.xxx.180.242 type ipsec-l2l
tunnel-group xxx.xxx.180.242 ipsec-attributes
pre-shared-key **********
crypto isakmp policy 25
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 3600
</PRE><BR>Can anyone help me with this at all?
<P><FONT size=2>STATEMENT OF CONFIDENTIALITY:</FONT> <FONT size=2>This message
and any attachments are intended solely for the person or entity to which it
is addressed and may contain confidential or privileged information. If the
recipient of this message is not the addressee or a person responsible for
delivering the message to the addressee, such recipient is prohibited from
reading or using this message in any way. If you have received this message in
error, please call the sender of this message immediately and delete the
message from any
computer.</FONT></P><BR>****************************************************************************
<BR>This message contains confidential and proprietary information of the
sender, <BR>and is intended only for the person(s) to whom it is addressed.
Any use, <BR>distribution, copying or disclosure by any other person is
strictly prohibited. <BR>If you have received this message in error, please
notify the e-mail sender <BR>immediately, and delete the original message
without making a copy.
<BR>****************************************************************************
</BLOCKQUOTE></BODY><br>****************************************************************************
<br>This message contains confidential and proprietary information of the sender,
<br>and is intended only for the person(s) to whom it is addressed. Any use,
<br> distribution, copying or disclosure by any other person is strictly prohibited.
<br> If you have received this message in error, please notify the e-mail sender
<br> immediately, and delete the original message without making a copy.
<br>****************************************************************************
</HTML>