<br><font size=2 face="sans-serif">Hello,</font>
<br>
<br><font size=2 face="sans-serif">I want to realize a IPSEC tunnel between
a linux station and a cisco router 1900.</font>
<br><font size=2 face="sans-serif">But I have problems to connect the linux
openswan system to the cisco router 1900 because the STATE_QUICK_I1 step
is not ok.</font>
<br>
<br><font size=2 face="sans-serif">my network configuration</font>
<br><font size=2 face="sans-serif">=====================</font>
<br><font size=2 face="sans-serif">10.0.0.1 <--> 100.180.26.105 <==========>
100.180.26.106 <--> 11.0.0.1</font>
<br><font size=2 face="sans-serif">the linux station has 2 interfaces:
10.0.0.1 and 100.189.26.105</font>
<br><font size=2 face="sans-serif">the cisco router has 2 interfaces: 100.189.26.106
and 11.0.0.1</font>
<br>
<br><font size=2 face="sans-serif">the message error after a connection
attempt:</font>
<br><font size=2 face="sans-serif">======================================</font>
<br><font size=2 face="Courier New">root@sellin-HP-Compaq-dc7100-SFF-DX878AV:~#
ipsec auto --verbose --up jsat</font>
<br><font size=2 face="Courier New">002 "jsat" #1: initiating
Main Mode</font>
<br><font size=2 face="Courier New">104 "jsat" #1: STATE_MAIN_I1:
initiate</font>
<br><font size=2 face="Courier New">003 "jsat" #1: received Vendor
ID payload [RFC 3947] method set to=109 </font>
<br><font size=2 face="Courier New">002 "jsat" #1: enabling possible
NAT-traversal with method 4</font>
<br><font size=2 face="Courier New">002 "jsat" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2</font>
<br><font size=2 face="Courier New">106 "jsat" #1: STATE_MAIN_I2:
sent MI2, expecting MR2</font>
<br><font size=2 face="Courier New">003 "jsat" #1: received Vendor
ID payload [Cisco-Unity]</font>
<br><font size=2 face="Courier New">003 "jsat" #1: received Vendor
ID payload [Dead Peer Detection]</font>
<br><font size=2 face="Courier New">003 "jsat" #1: ignoring unknown
Vendor ID payload [4d84a39fa030c5a5cc6e37f178f28f74]</font>
<br><font size=2 face="Courier New">003 "jsat" #1: received Vendor
ID payload [XAUTH]</font>
<br><font size=2 face="Courier New">003 "jsat" #1: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected</font>
<br><font size=2 face="Courier New">002 "jsat" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3</font>
<br><font size=2 face="Courier New">108 "jsat" #1: STATE_MAIN_I3:
sent MI3, expecting MR3</font>
<br><font size=2 face="Courier New">002 "jsat" #1: Main mode
peer ID is ID_IPV4_ADDR: '100.180.26.106'</font>
<br><font size=2 face="Courier New">002 "jsat" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4</font>
<br><font size=2 face="Courier New">004 "jsat" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}</font>
<br><font size=2 face="Courier New">002 "jsat" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:483a3931
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}</font>
<br><font size=2 face="Courier New">117 "jsat" #2: STATE_QUICK_I1:
initiate</font>
<br><font size=2 face="Courier New">010 "jsat" #2: STATE_QUICK_I1:
retransmission; will wait 20s for response</font>
<br><font size=2 face="Courier New">010 "jsat" #2: STATE_QUICK_I1:
retransmission; will wait 40s for response</font>
<br><font size=2 face="Courier New">031 "jsat" #2: max number
of retransmissions (2) reached STATE_QUICK_I1. No acceptable response
to our first Quick Mode message: perhaps peer likes no proposal</font>
<br><font size=2 face="Courier New">000 "jsat" #2: starting keying
attempt 2 of an unlimited number, but releasing whack</font>
<br><font size=2 face="Courier New">root@sellin-HP-Compaq-dc7100-SFF-DX878AV:~#
</font>
<br>
<br><font size=2 face="sans-serif">the /etc/ipsec.conf file</font>
<br><font size=2 face="sans-serif">==================</font>
<br><font size=2 face="Courier New"># This file: /usr/share/doc/openswan/ipsec.conf-sample</font>
<br><font size=2 face="Courier New">#</font>
<br><font size=2 face="Courier New"># Manual: ipsec.conf.5</font>
<br><font size=2 face="Courier New">version 2.0
# conforms to second version of ipsec.conf
specification</font>
<br><font size=2 face="Courier New"># basic configuration</font>
<br><font size=2 face="Courier New">config setup</font>
<br><font size=2 face="Courier New"> nat_traversal=yes</font>
<br><font size=2 face="Courier New"> oe=off</font>
<br><font size=2 face="Courier New"> protostack=netkey</font>
<br><font size=2 face="Courier New"> nhelpers=0</font>
<br>
<br><font size=2 face="Courier New"># Add connections here</font>
<br><font size=2 face="Courier New"># sample VPN connection</font>
<br><font size=2 face="Courier New"># for more examples, see /etc/ipsec.d/examples/</font>
<br><font size=2 face="Courier New">conn jsat</font>
<br><font size=2 face="Courier New"> left=100.180.26.105</font>
<br><font size=2 face="Courier New"> leftsubnet=10.0.0.0/24</font>
<br><font size=2 face="Courier New"> leftnexthop=100.180.26.106</font>
<br><font size=2 face="Courier New"> leftsourceip=10.0.0.1</font>
<br>
<br><font size=2 face="Courier New"> right=100.180.26.106</font>
<br><font size=2 face="Courier New"> rightsubnet=11.0.0.0/24</font>
<br><font size=2 face="Courier New"> rightsourceip=11.0.0.1</font>
<br><font size=2 face="Courier New"> rightnexthop=100.180.26.105</font>
<br><font size=2 face="Courier New"> auto=add</font>
<br><font size=2 face="Courier New"> ike=3des-md5</font>
<br><font size=2 face="Courier New"> phase2alg=3des-md5</font>
<br><font size=2 face="Courier New"> authby=secret</font>
<br>
<br><font size=2 face="sans-serif">/etc/ipsec.secrets file</font>
<br><font size=2 face="sans-serif">==================</font>
<br><font size=2 face="Courier New">100.180.26.105 100.180.26.106: PSK
"123456789"</font>
<br>
<br><font size=2 face="Courier New">on cisco the show running config</font>
<br><font size=2 face="Courier New">================================</font>
<br><font size=2 face="Courier New">Router#show running-config</font>
<br><font size=2 face="Courier New">Building configuration...</font>
<br><font size=2 face="Courier New">Current configuration : 1258 bytes</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">! Last configuration change at 12:48:49
UTC Thu Feb 10 2011</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">version 15.0</font>
<br><font size=2 face="Courier New">service timestamps debug datetime msec</font>
<br><font size=2 face="Courier New">service timestamps log datetime msec</font>
<br><font size=2 face="Courier New">no service password-encryption</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">hostname Router</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">boot-start-marker</font>
<br><font size=2 face="Courier New">boot-end-marker</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">no aaa new-model</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">no ipv6 cef</font>
<br><font size=2 face="Courier New">ip source-route</font>
<br><font size=2 face="Courier New">ip cef</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">multilink bundle-name authenticated</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">license udi pid CISCO1941/K9 sn FHK1447783T</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">redundancy</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">crypto isakmp policy 1</font>
<br><font size=2 face="Courier New"> encr 3des</font>
<br><font size=2 face="Courier New"> hash md5</font>
<br><font size=2 face="Courier New"> authentication pre-share</font>
<br><font size=2 face="Courier New"> group 2</font>
<br><font size=2 face="Courier New">crypto isakmp key 123456789 address
100.180.26.105</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">crypto ipsec transform-set openswan
esp-3des esp-md5-hmac</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">crypto map openswan 10 ipsec-isakmp</font>
<br><font size=2 face="Courier New"> set peer 100.180.26.105</font>
<br><font size=2 face="Courier New"> set transform-set openswan</font>
<br><font size=2 face="Courier New"> match address 100</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">interface GigabitEthernet0/0</font>
<br><font size=2 face="Courier New"> description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE
0/0$</font>
<br><font size=2 face="Courier New"> ip address 11.0.0.1 255.255.255.0</font>
<br><font size=2 face="Courier New"> duplex auto</font>
<br><font size=2 face="Courier New"> speed auto</font>
<br><font size=2 face="Courier New"> !</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">interface GigabitEthernet0/1</font>
<br><font size=2 face="Courier New"> ip address 100.180.26.106 255.255.255.0</font>
<br><font size=2 face="Courier New"> duplex auto</font>
<br><font size=2 face="Courier New"> speed auto</font>
<br><font size=2 face="Courier New"> crypto map openswan</font>
<br><font size=2 face="Courier New"> !</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">ip forward-protocol nd</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">no ip http server</font>
<br><font size=2 face="Courier New">no ip http secure-server</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">access-list 100 permit ip 10.0.0.0
0.0.0.255 11.0.0.0 0.0.0.255</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">control-plane</font>
<br><font size=2 face="Courier New"> !</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">line con 0</font>
<br><font size=2 face="Courier New">line aux 0</font>
<br><font size=2 face="Courier New">line vty 0 4</font>
<br><font size=2 face="Courier New"> login</font>
<br><font size=2 face="Courier New">!</font>
<br><font size=2 face="Courier New">scheduler allocate 20000 1000</font>
<br><font size=2 face="Courier New">end</font>
<br>
<br><font size=2 face="sans-serif">on cisco the result of show crypto isakmp
sa detail</font>
<br><font size=2 face="sans-serif">===========================================</font>
<br><font size=2 face="sans-serif">Router#show crypto isakmp sa detail</font>
<br><font size=2 face="sans-serif">Codes: C - IKE configuration mode, D
- Dead Peer Detection</font>
<br><font size=2 face="sans-serif"> K - Keepalives,
N - NAT-traversal</font>
<br><font size=2 face="sans-serif"> T - cTCP
encapsulation, X - IKE Extended Authentication</font>
<br><font size=2 face="sans-serif"> psk - Preshared
key, rsig - RSA signature</font>
<br><font size=2 face="sans-serif"> renc - RSA
encryption</font>
<br><font size=2 face="sans-serif">IPv4 Crypto ISAKMP SA</font>
<br><font size=2 face="sans-serif">C-id Local
Remote I-VRF Status
Encr Hash Auth DH Lifetime Cap.</font>
<br><font size=2 face="sans-serif">1004 100.180.26.106 100.180.26.105
ACTIVE 3des md5 psk 2 00:19:39</font>
<br><font size=2 face="sans-serif"> Engine-id:Conn-id
= SW:4</font>
<br><font size=2 face="sans-serif">IPv6 Crypto ISAKMP SA</font>
<br>
<br><font size=2 face="sans-serif">on cisco the result of show crypto ipsec
sa</font>
<br><font size=2 face="sans-serif">====================================</font>
<br><font size=2 face="sans-serif">Router#show crypto ipsec sa</font>
<br><font size=2 face="sans-serif">interface: GigabitEthernet0/1</font>
<br><font size=2 face="sans-serif"> Crypto map tag: openswan,
local addr 100.180.26.106</font>
<br><font size=2 face="sans-serif"> protected vrf: (none)</font>
<br><font size=2 face="sans-serif"> local ident (addr/mask/prot/port):
(10.0.0.0/255.255.255.0/0/0)</font>
<br><font size=2 face="sans-serif"> remote ident (addr/mask/prot/port):
(11.0.0.0/255.255.255.0/0/0)</font>
<br><font size=2 face="sans-serif"> current_peer 100.180.26.105
port 500</font>
<br><font size=2 face="sans-serif"> PERMIT, flags={origin_is_acl,}</font>
<br><font size=2 face="sans-serif"> #pkts encaps: 0, #pkts
encrypt: 0, #pkts digest: 0</font>
<br><font size=2 face="sans-serif"> #pkts decaps: 0, #pkts
decrypt: 0, #pkts verify: 0</font>
<br><font size=2 face="sans-serif"> #pkts compressed: 0, #pkts
decompressed: 0</font>
<br><font size=2 face="sans-serif"> #pkts not compressed:
0, #pkts compr. failed: 0</font>
<br><font size=2 face="sans-serif"> #pkts not decompressed:
0, #pkts decompress failed: 0</font>
<br><font size=2 face="sans-serif"> #send errors 0, #recv
errors 0</font>
<br><font size=2 face="sans-serif"> local crypto endpt.:
100.180.26.106, remote crypto endpt.: 100.180.26.105</font>
<br><font size=2 face="sans-serif"> path mtu 1500, ip
mtu 1500, ip mtu idb GigabitEthernet0/1</font>
<br><font size=2 face="sans-serif"> current outbound
spi: 0x0(0)</font>
<br><font size=2 face="sans-serif"> PFS (Y/N): N, DH
group: none</font>
<br><font size=2 face="sans-serif"> inbound esp sas:</font>
<br><font size=2 face="sans-serif"> inbound ah sas:</font>
<br><font size=2 face="sans-serif"> inbound pcp sas:</font>
<br><font size=2 face="sans-serif"> outbound esp sas:</font>
<br><font size=2 face="sans-serif"> outbound ah sas:</font>
<br><font size=2 face="sans-serif"> outbound pcp sas:</font>
<br>
<br><font size=2 face="sans-serif">the software and os versions</font>
<br><font size=2 face="sans-serif">========================</font>
<br><font size=2 face="sans-serif">-linux: xubuntu 10.10</font>
<br><font size=2 face="sans-serif"># uname --a </font>
<br><font size=2 face="sans-serif">Linux sellin-HP-Compaq-dc7100-SFF-DX878AV
2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux</font>
<br><font size=2 face="sans-serif">-openswan: 2.6.26+dfsg-1</font>
<br><font size=2 face="sans-serif">-Cisco IOS Software, C1900 Software
(C1900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1)</font>
<br>
<br><font size=2 face="sans-serif">Can you help me please.</font>
<br><font size=2 face="sans-serif">regards,</font>
<br>
<br><font size=2 face="sans-serif">Maurice Sellin<br>
DCNS Ingenierie Navires Armes<br>
(33) 02 97 12 23 31</font><PRE><PRE>
<font face="sans-serif">
<table border=0 width=100%>
<tr><td><p lang="fr" style="color:green;font-size:x-small">Pensez à l'environnement : avez-vous besoin d'imprimer ce message ?</p></td></tr>
<tr><td><p lang-"en" style="color:green;font-size:x-small">Think environment : Do you need to print message ?</p></td></tr>
<tr><td><p lang="en" style="color:white;font-size:x-small">.</p></td></tr>
<tr><td><p lang="fr" style="font-size:x-small">Ce courrier électronique, et éventuellement ses pièces jointes, peuvent contenir des informations confidentielles et/ou personnelles et a été envoyé uniquement à l'usage de la personne ou de l'entité citée ci-dessus. Si vous receviez ce courrier électronique par erreur, merci de bien vouloir en avertir l'expéditeur immédiatement par la réponse en retour à ce courrier et effacer l'original et détruire toute copie enregistrée dans un ordinateur, ou imprimée ou encore sauvegardée sur un disque . Toute revue, retransmission ou toute autre forme d'utilisation de ce courrier électronique par toute autre personne que le destinataire prévue est strictement interdite.</p></td></tr>
<tr><td><p lang="fr" style="font-size:x-small">L'internet ne permettant pas d'assurer l'intégrité de ce message, l'expéditeur décline toute responsabilité au cas où il aurait été intercepté ou modifié par quiconque.</p></td></tr>
<tr><td><p lang="en" style="font-size:x-small">This e-mail and possibly any attachment may contain confidential and/or privileged information and is intended only for the use of the individual or entity named above. If you have received it in error, please advise the sender immediately by reply e-mail and delete and destroy all copies including all copies stored in the recipient's computer, printed or saved to disk. . Any review , retransmission, or further use of this e-mail by persons or entities other than the intended recipient is strictly prohibited.</p></td></tr>
<tr><td><p lang="en" style="font-size:x-small">Because of the nature of the Internet the sender is not in a position to ensure the integrity of this message, therefore the sender disclaims any liability whatsoever, in the event of this message having been intercepted and/or altered.</p></td></tr>
</table>
</font>
</PRE>
</PRE>