<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceType"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PlaceName"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I have an Openswan connection running Openswan
U2.4.13/K2.6.26-2-gx1 (netkey) to a Cisco ASA 5500 running version
8.3(2). When the cisco initiates the connection everything works fine,
when the opswan initiates the connection the cisco complains there are no
acceptable phase 2 proposals and the tunnel won’t come up. I believe
this is a bug in the Cisco software. I have two questions has anyone seen
this before? And is there a work around for this problem? See the openswan
and cisco log entries below?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257:
STATE_MAIN_I2: sent MI2, expecting MR2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: received
Vendor ID payload [Cisco-Unity]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: received
Vendor ID payload [XAUTH]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: ignoring unknown
Vendor ID payload [dcd8bedf46899e9ca08351dc49a8db59]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: ignoring
Vendor ID payload [Cisco VPN 3000 Series]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: I did not send a
certificate because I do not have one.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257:
STATE_MAIN_I3: sent MI3, expecting MR3<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: received Vendor ID
payload [Dead Peer Detection]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: | protocol/port in Phase 1
ID Payload is 17/0. accepted with port_floating NAT-T<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: Main mode
peer ID is ID_IPV4_ADDR: '192.168.77.62'<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
prf=oakley_md5 group=modp1024}<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3258: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3257}<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: ignoring
informational payload, type NO_PROPOSAL_CHOSEN<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: received and
ignored informational message<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: received
Delete SA payload: deleting <st1:place w:st="on"><st1:PlaceName w:st="on">ISAKMP</st1:PlaceName>
<st1:PlaceType w:st="on">State</st1:PlaceType></st1:place> #3257<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:46 cju01u03router pluto[32128]: packet from <a
href="http://192.168.77.62:500" title="blocked::http://192.168.77.62:500/">xxx.xxx.xxx.xxx</a>:
received and ignored informational message<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 31 11:29:57 cju01u03router pluto[32128]: #3256: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The error messages from the cisco side are below <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>30 2010 09:24:13: %ASA-5-713257: Phase 1 failure: Mismatched
attribute types for class Group Description: Rcv'd: Group 5 Cfg'd:
Group 2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-5-713257: Phase 1 failure: Mismatched
attribute types for class Group Description: Rcv'd: Group 5 Cfg'd:
Group 2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-5-713904: IP = 192.168.77.1, Received
encrypted packet with no matching SA, dropping<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-6-713172: Group = 192.168.77.1, IP =
192.168.77.1, Automatic NAT Detection Status: Remote end is NOT
behind a NAT device This end is NOT behind a NAT device<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-6-113009: AAA retrieved default group policy
(DfltGrpPolicy) for user = 192.168.77.1<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-5-713119: Group = 192.168.1.1, IP =
192.168.1.1, PHASE 1 COMPLETED<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-5-713904: Group = 192.168.1.1, IP =
192.168.1.1, <span class=apple-style-span><span style='background:#FFFF66'>All
IPSec SA proposals found unacceptable!</span></span><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-3-713902: Group = 192.168.1.1, IP =
192.168.1.1, QM FSM error (P2 struct &0x73b08de0, mess id 0xe7a6660d)!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-3-713902: Group = 192.168.1.1, IP =
192.168.1.1, Removing peer from correlator table failed, no match!<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-5-713259: Group = 192.168.1.1, IP =
192.168.1.1, Session is being torn down. Reason: Phase 2 Mismatch<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-4-113019: Group = 192.168.1.1, Username =
192.168.1.1, IP = 192.168.1.1, Session disconnected. Session Type: IKE,
Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:13: %ASA-5-713904: IP = 192.168.77.1, Received
encrypted packet with no matching SA, dropping<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Aug 30 2010 09:24:23: %ASA-5-713904: IP = 192.168.77.1, Received
encrypted packet with no matching SA, dropping<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoAutoSig><st1:PersonName w:st="on"><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>Daren Hickman</span></font></st1:PersonName><o:p></o:p></p>
<p class=MsoAutoSig><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Field Applications Engineer<o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Ruggedcom<o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>mobile 954-805-4948<o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>desk 954-922-7975 x101<o:p></o:p></span></font></p>
<p class=MsoAutoSig><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>**************************<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>NOTICE
OF CONFIDENTIALITY:<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>This
e-mail and any attachments may contain confidential and privileged information.
If you are not the intended recipient, please notify the sender immediately by
return e-mail and delete this e-mail and any copies. Any dissemination or use
of this information by a person other than the intended recipient is
unauthorized and may be illegal.<o:p></o:p></span></font></p>
<p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>**************************</span></font><font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>