<div class="gmail_quote">On Tue, Mar 24, 2009 at 7:45 PM, Anirudh Kamatgi <span dir="ltr"><<a href="mailto:akamatgi@gmail.com">akamatgi@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi All,<br><br>I am trying to create a site-to-site vpn with openswan 2.6.20 on both gateways.<br>There are multiple subnets behind both gateways and one connection per subnet pair.<br><br>Through a script I am doing a "ipsec auto --add conn" for all the connections on both gateways.<br>
Then on one gateway I do "ipsec auto --asynchronous --up conn" for all the connections.<br><br>Most of the connections come up fine. But a few of them get stuck in STATE_QUICK_I1 on the gateway<br>which brought up the connection and the same connection in the peer will be in STATE_QUICK_R1.<br>
I am unable to figure out why the connection didn't get established.<br><br>ipsec auto --status on the initiating gateway:<br>----------------------------------------------------------------<br>000 "sample-37.37.37.0-31.31.16.0": <a href="http://37.37.37.0/24===11.11.0.5" target="_blank">37.37.37.0/24===11.11.0.5</a><11.11.0.5>[+S=C]...11.11.0.1<11.11.0.1>[+S=C]===<a href="http://31.31.16.0/24" target="_blank">31.31.16.0/24</a>; unrouted; eroute owner: #0<br>
000 "sample-37.37.37.0-31.31.16.0": myip=unset; hisip=unset; myup=/home/product/code/firmware/current/bin/vpn_updown.pl; hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;<br>000 "sample-37.37.37.0-31.31.16.0": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10<br>
000 "sample-37.37.37.0-31.31.16.0": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth2;<br>000 "sample-37.37.37.0-31.31.16.0": dpd: action:restart; delay:20; timeout:15;<br>
000 "sample-37.37.37.0-31.31.16.0": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 "sample-37.37.37.0-31.31.16.0": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict<br>000 "sample-37.37.37.0-31.31.16.0": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2,<br>
000 "sample-37.37.37.0-31.31.16.0": ESP algorithms wanted: 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict<br>000 "sample-37.37.37.0-31.31.16.0": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
000 #227: "sample-37.37.37.0-31.31.16.0":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_CRYPTO_FAILED in 300s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<br><br>For the same connection on the peer gateway:<br>
-------------------------------------------------------------------<br>000 "sample-31.31.16.0-37.37.37.0": <a href="http://31.31.16.0/24===11.11.0.1" target="_blank">31.31.16.0/24===11.11.0.1</a><11.11.0.1>[+S=C]...11.11.0.5<11.11.0.5>[+S=C]===<a href="http://37.37.37.0/24" target="_blank">37.37.37.0/24</a>; unrouted; eroute owner: #0<br>
000 "sample-31.31.16.0-37.37.37.0": myip=unset; hisip=unset; myup=/home/product/code/firmware/current/bin/vpn_updown.pl; hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;<br>000 "sample-31.31.16.0-37.37.37.0": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10<br>
000 "sample-31.31.16.0-37.37.37.0": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,24;interface: eth1;<br>000 "sample-31.31.16.0-37.37.37.0": dpd: action:restart; delay:20; timeout:15;<br>
000 "sample-31.31.16.0-37.37.37.0": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 "sample-31.31.16.0-37.37.37.0": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict<br>000 "sample-31.31.16.0-37.37.37.0": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-2,<br>
000 "sample-31.31.16.0-37.37.37.0": ESP algorithms wanted: 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict<br>000 "sample-31.31.16.0-37.37.37.0": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>
000 #252: "sample-31.31.16.0-37.37.37.0":500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 35s; lastdpd=-1s(seq in:0 out:0); idle; import:not set<br><br>Any help is appreciated.<br>
Thanks,<br><font color="#888888">Anirudh</font></blockquote><div><br>Hi all,<br>I am still not able to resolve the above issue.<br>If anybody can give some clue regarding this, it will be very much appreciated.<br>Thanks in advance,<br>
-anirudh<br></div></div><br>