Hi All,<br><br>I am trying to create a site-to-site vpn with openswan 2.6.20 on both gateways.<br>There are multiple subnets behind both gateways and one connection per subnet pair.<br><br>Through a script I am doing a &quot;ipsec auto --add conn&quot; for all the connections on both gateways.<br>
Then on one gateway I do &quot;ipsec auto --asynchronous --up conn&quot; for all the connections.<br><br>Most of the connections come up fine. But a few of them get stuck in STATE_QUICK_I1 on the gateway<br>which brought up the connection and the same connection in the peer will be in STATE_QUICK_R1.<br>
I am unable to figure out why the connection didn&#39;t get established.<br><br>ipsec auto --status on the initiating gateway:<br>----------------------------------------------------------------<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;: <a href="http://37.37.37.0/24===11.11.0.5">37.37.37.0/24===11.11.0.5</a>&lt;11.11.0.5&gt;[+S=C]...11.11.0.1&lt;11.11.0.1&gt;[+S=C]===<a href="http://31.31.16.0/24">31.31.16.0/24</a>; unrouted; eroute owner: #0<br>
000 &quot;sample-37.37.37.0-31.31.16.0&quot;:     myip=unset; hisip=unset; myup=/home/product/code/firmware/current/bin/vpn_updown.pl; hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10<br>
000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth2;<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   dpd: action:restart; delay:20; timeout:15;<br>
000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-2,<br>
000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   ESP algorithms wanted: 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
000 #227: &quot;sample-37.37.37.0-31.31.16.0&quot;:500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_CRYPTO_FAILED in 300s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<br><br>For the same connection on the peer gateway:<br>
-------------------------------------------------------------------<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;: <a href="http://31.31.16.0/24===11.11.0.1">31.31.16.0/24===11.11.0.1</a>&lt;11.11.0.1&gt;[+S=C]...11.11.0.5&lt;11.11.0.5&gt;[+S=C]===<a href="http://37.37.37.0/24">37.37.37.0/24</a>; unrouted; eroute owner: #0<br>
000 &quot;sample-31.31.16.0-37.37.37.0&quot;:     myip=unset; hisip=unset; myup=/home/product/code/firmware/current/bin/vpn_updown.pl; hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10<br>
000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,24;interface: eth1;<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   dpd: action:restart; delay:20; timeout:15;<br>
000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-2,<br>
000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   ESP algorithms wanted: 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
000 #252: &quot;sample-31.31.16.0-37.37.37.0&quot;:500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 35s; lastdpd=-1s(seq in:0 out:0); idle; import:not set<br><br>Any help is appreciated.<br>
Thanks,<br>Anirudh<br>