<div class="gmail_quote">On Tue, Mar 24, 2009 at 7:45 PM, Anirudh Kamatgi <span dir="ltr">&lt;<a href="mailto:akamatgi@gmail.com">akamatgi@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi All,<br><br>I am trying to create a site-to-site vpn with openswan 2.6.20 on both gateways.<br>There are multiple subnets behind both gateways and one connection per subnet pair.<br><br>Through a script I am doing a &quot;ipsec auto --add conn&quot; for all the connections on both gateways.<br>

Then on one gateway I do &quot;ipsec auto --asynchronous --up conn&quot; for all the connections.<br><br>Most of the connections come up fine. But a few of them get stuck in STATE_QUICK_I1 on the gateway<br>which brought up the connection and the same connection in the peer will be in STATE_QUICK_R1.<br>

I am unable to figure out why the connection didn&#39;t get established.<br><br>ipsec auto --status on the initiating gateway:<br>----------------------------------------------------------------<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;: <a href="http://37.37.37.0/24===11.11.0.5" target="_blank">37.37.37.0/24===11.11.0.5</a>&lt;11.11.0.5&gt;[+S=C]...11.11.0.1&lt;11.11.0.1&gt;[+S=C]===<a href="http://31.31.16.0/24" target="_blank">31.31.16.0/24</a>; unrouted; eroute owner: #0<br>

000 &quot;sample-37.37.37.0-31.31.16.0&quot;:     myip=unset; hisip=unset; myup=/home/product/code/firmware/current/bin/vpn_updown.pl; hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10<br>

000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth2;<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   dpd: action:restart; delay:20; timeout:15;<br>

000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-2,<br>

000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   ESP algorithms wanted: 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict<br>000 &quot;sample-37.37.37.0-31.31.16.0&quot;:   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>

000 #227: &quot;sample-37.37.37.0-31.31.16.0&quot;:500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_CRYPTO_FAILED in 300s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<br><br>For the same connection on the peer gateway:<br>

-------------------------------------------------------------------<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;: <a href="http://31.31.16.0/24===11.11.0.1" target="_blank">31.31.16.0/24===11.11.0.1</a>&lt;11.11.0.1&gt;[+S=C]...11.11.0.5&lt;11.11.0.5&gt;[+S=C]===<a href="http://37.37.37.0/24" target="_blank">37.37.37.0/24</a>; unrouted; eroute owner: #0<br>

000 &quot;sample-31.31.16.0-37.37.37.0&quot;:     myip=unset; hisip=unset; myup=/home/product/code/firmware/current/bin/vpn_updown.pl; hisup=/home/product/code/firmware/current/bin/vpn_updown.pl;<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 10<br>

000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+lKOD+rKOD; prio: 24,24;interface: eth1;<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   dpd: action:restart; delay:20; timeout:15;<br>

000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-2,<br>

000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   ESP algorithms wanted: 3DES(3)_000-SHA1(2); pfsgroup=MODP1024(2);flags=-strict<br>000 &quot;sample-31.31.16.0-37.37.37.0&quot;:   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160<br>

000 #252: &quot;sample-31.31.16.0-37.37.37.0&quot;:500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_RETRANSMIT in 35s; lastdpd=-1s(seq in:0 out:0); idle; import:not set<br><br>Any help is appreciated.<br>

Thanks,<br><font color="#888888">Anirudh</font></blockquote><div><br>Hi all,<br>I am still not able to resolve the above issue.<br>If anybody can give some clue regarding this, it will be very much appreciated.<br>Thanks in advance,<br>
-anirudh<br></div></div><br>