If I uncomment the compress=yes the VPN don't be established and I have this:<div><br></div><div><div>002 "vpn-name" #17749880: initiating Main Mode</div><div>104 "vpn-name" #17749880: STATE_MAIN_I1: initiate</div>
<div>003 "vpn-name" #17749880: ignoring unknown Vendor ID payload [0048e2270bea8395ed778d343cc2a076]</div><div>003 "vpn-name" #17749880: ignoring unknown Vendor ID payload [5cbeb399eb835a7d7a2eb495905db061]</div>
<div>003 "vpn-name" #17749880: ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]</div><div>003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 </div>
<div>003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108</div><div>003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108</div>
<div>003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div><div>003 "vpn-name" #17749880: received Vendor ID payload [XAUTH]</div><div>003 "vpn-name" #17749880: received Vendor ID payload [Dead Peer Detection]</div>
<div>002 "vpn-name" #17749880: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05</div><div>002 "vpn-name" #17749880: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</div>
<div>106 "vpn-name" #17749880: STATE_MAIN_I2: sent MI2, expecting MR2</div><div>003 "vpn-name" #17749880: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed</div><div>002 "vpn-name" #17749880: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</div>
<div>108 "vpn-name" #17749880: STATE_MAIN_I3: sent MI3, expecting MR3</div><div>002 "vpn-name" #17749880: Main mode peer ID is ID_IPV4_ADDR: 'public-ip-B'</div><div>002 "vpn-name" #17749880: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</div>
<div>004 "vpn-name" #17749880: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}</div><div>002 "vpn-name" #17749883: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using isakmp#17749880 msgid:dc40bc72 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}</div>
<div>117 "vpn-name" #17749883: STATE_QUICK_I1: initiate</div><div>003 "vpn-name" #17749883: You should NOT use insecure ESP algorithms [ESP_NULL (0)]!</div><div>003 "vpn-name" #17749883: ERROR: netlink response for Add SA comp.51750002@public-ip-B included errno 22: Invalid argument</div>
<div>032 "vpn-name" #17749883: STATE_QUICK_I1: internal error</div><div>003 "vpn-name" #17749883: discarding duplicate packet; already STATE_QUICK_I1</div><div>003 "vpn-name" #17749883: discarding duplicate packet; already STATE_QUICK_I1</div>
<div>003 "vpn-name" #17749883: discarding duplicate packet; already STATE_QUICK_I1</div><div><br></div><div>Regards</div><div><br><div class="gmail_quote">2011/7/12 SCHNEIDER Benoit <span dir="ltr"><<a href="mailto:ton.ami.totoro@gmail.com">ton.ami.totoro@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Hi thanks for your answer.<div><br></div><div>We comment "compress=yes" But we steel having the message.</div>
<div>Actualy we have this message too: failed to install outgoing SA: 0</div><div><br></div><div>The VPN go up, but after few time, the second phase fall and we need to restart the VPN.</div>
<div><br></div><div>Exempl of conf files:</div><div><br></div><div><div>conn vpn-name</div><div> auth=esp</div><div> ike=aes128-md5-modp1024</div><div> authby=secret</div><div> auto=route</div>
<div> #compress=no</div><div> pfs=no</div><div> type=tunnel</div><div> keylife=24h</div><div> esp=null-md5</div><div> left=public-ip-A</div><div> leftid=public-ip-A</div><div>
leftsubnet=subnet-A</div><div> right=public-ip-B</div><div> rightid=public-ip-B</div><div> rightsubnet=subnet-B</div></div><div><br></div><div>/etc/ipsec.d/examples/no_oe.conf</div><div><br></div>
<div><div>conn block </div><div> auto=ignore</div><div><br></div><div>conn private </div><div> auto=ignore</div><div><br></div><div>conn private-or-clear </div><div> auto=ignore</div><div><br></div><div>conn clear-or-private </div>
<div> auto=ignore</div><div><br></div><div>conn clear </div><div> auto=ignore</div><div><br></div><div>conn packetdefault </div><div> auto=ignore</div></div><div><br></div><div>/etc/ipsec.conf</div><div><br></div>
<div><div># /etc/ipsec.conf - Openswan IPsec configuration file</div><div># RCSID $Id: <a href="http://ipsec.conf.in" target="_blank">ipsec.conf.in</a>,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $</div><div><br></div><div># This file: /usr/share/doc/openswan/ipsec.conf-sample</div>
<div>#</div><div># Manual: ipsec.conf.5</div><div><br></div><div><br></div><div>version 2.0 # conforms to second version of ipsec.conf specification</div><div><br></div><div># basic configuration</div><div>config setup</div>
<div> forwardcontrol=yes</div><div> nat_traversal=yes</div><div> uniqueids=no</div><div> nhelpers=0</div><div><br></div><div># Add connections here</div><div><br></div><div># sample VPN connections, see /etc/ipsec.d/examples/</div>
<div><br></div><div>#Disable Opportunistic Encryption</div><div>include /etc/ipsec.d/examples/no_oe.conf</div><div><br></div><div>include /etc/ipsec.d/sites/*.conf</div></div><div><br></div><div><br></div><div>ipsec.secrets</div>
<div><br></div><div>public-ip-A public-ip-B : PSK "passkey"</div><div><br></div><div>lsmod:</div><div><br></div><div><div>Module Size Used by</div><div>xfrm_user 16134 2 </div><div>
ah6 3677 0 </div><div>ah4 3011 0 </div><div>esp6 3781 0 </div><div>xfrm4_mode_beet 1519 0 </div><div>xfrm4_tunnel 1201 0 </div><div>xfrm4_mode_transport 982 0 </div>
<div>xfrm6_mode_transport 1002 0 </div><div>xfrm6_mode_ro 870 0 </div><div>xfrm6_mode_beet 1358 0 </div><div>ipcomp 1356 0 </div><div>ipcomp6 1336 0 </div><div>
xfrm6_tunnel 4033 1 ipcomp6</div><div>af_key 23286 0 </div><div>esp4 3985 3504 </div><div>xfrm4_mode_tunnel 1264 7008 </div><div>xfrm6_mode_tunnel 1196 3504 </div>
<div>iptable_filter 1790 0 </div><div>ip_tables 7706 1 iptable_filter</div><div>x_tables 8327 1 ip_tables</div><div>authenc 4746 3504 </div><div>deflate 1315 0 </div>
<div>zlib_deflate 15822 1 deflate</div><div>ctr 2703 0 </div><div>camellia 16843 0 </div><div>cast5 15593 0 </div><div>rmd160 9448 0 </div>
<div>sha1_generic 1395 0 </div><div>hmac 2033 7008 </div><div>crypto_null 1876 3504 </div><div>tunnel4 1469 1 xfrm4_tunnel</div><div>xfrm_ipcomp 2855 2 ipcomp,ipcomp6</div>
<div>tunnel6 1364 1 xfrm6_tunnel</div><div>rng_core 2178 0 </div><div>ccm 6017 0 </div><div>serpent 16187 0 </div><div>blowfish 7252 0 </div>
<div>twofish 5665 0 </div><div>twofish_common 12560 1 twofish</div><div>ecb 1405 0 </div><div>xcbc 1925 0 </div><div>cbc 2047 0 </div>
<div>sha256_generic 10748 0 </div><div>sha512_generic 8009 0 </div><div>des_generic 15027 0 </div><div>aes_i586 6816 0 </div><div>aes_generic 25738 1 aes_i586</div>
<div>loop 9729 0 </div><div>radeon 511356 0 </div><div>ttm 33258 1 radeon</div><div>drm_kms_helper 18533 1 radeon</div><div>drm 111844 3 radeon,ttm,drm_kms_helper</div>
<div>i3200_edac 2311 0 </div><div>i2c_i801 6462 0 </div><div>container 1833 0 </div><div>i2c_algo_bit 3497 1 radeon</div><div>i2c_core 12751 5 radeon,drm_kms_helper,drm,i2c_i801,i2c_algo_bit</div>
<div>edac_core 23121 2 i3200_edac</div><div>snd_pcm 47226 0 </div><div>snd_timer 12258 1 snd_pcm</div><div>snd 34387 2 snd_pcm,snd_timer</div><div>soundcore 3450 1 snd</div>
<div>snd_page_alloc 4977 1 snd_pcm</div><div>pcspkr 1207 0 </div><div>evdev 5609 2 </div><div>parport_pc 15799 0 </div><div>parport 22554 1 parport_pc</div>
<div>button 3598 0 </div><div>shpchp 21220 0 </div><div>pci_hotplug 18065 1 shpchp</div><div>video 14605 0 </div><div>output 1204 1 video</div>
<div>psmouse 44777 0 </div><div>serio_raw 2916 0 </div><div>processor 26259 0 </div><div>ext3 93944 6 </div><div>jbd 31965 1 ext3</div><div>
mbcache 3762 1 ext3</div><div>sd_mod 25937 8 </div><div>crc_t10dif 1012 1 sd_mod</div><div>usbhid 27872 0 </div><div>hid 50841 1 usbhid</div>
<div>uhci_hcd 15989 0 </div><div>ata_generic 2247 0 </div><div>ata_piix 17704 0 </div><div>it8213 1996 0 </div><div>floppy 40923 0 </div><div>
ide_core 59306 1 it8213</div>
<div>3w_xxxx 18465 7 </div><div>libata 115617 2 ata_generic,ata_piix</div><div>thermal 9206 0 </div><div>thermal_sys 9378 3 video,processor,thermal</div><div>
scsi_mod 104593 3 sd_mod,3w_xxxx,libata</div>
<div>ehci_hcd 28453 0 </div><div>e1000e 97529 0 </div><div>usbcore 98613 4 usbhid,uhci_hcd,ehci_hcd</div><div>nls_base 4541 1 usbcore</div></div><div><br></div>
<div>Thanks for helping.</div><div><br></div><font color="#888888"><div>Benoit</div></font><div><div></div><div class="h5"><div><br><div class="gmail_quote">2011/7/12 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div></div><div>On Mon, 11 Jul 2011, SCHNEIDER Benoit wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
At my office we done a upgrade from a debian etch openswan version to a sqeeze one, and we steel having some problem.<br>
For some distant site we have this error:<br>
<br>
ERROR: netlink response for Add SA comp.9005@XX.XX.XX.XX included errno 22: Invalid argument<br>
add_sa ipcomp failed<br>
<br>
Any idear of this problem ?<br>
<br>
We look to have a MTU problem too, any idear ?<br>
</blockquote>
<br></div></div>
Looks like a kernel with no ipcomp module loaded?<br>
<br>
Comment out compress=yes ?<br><font color="#888888">
<br>
Paul</font></blockquote></div>
</div>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>"le libre et le gratuit, c'est exorbitant le gouffre financier que cela est pour se maintenir à jour dans la légalité" (un troll)<br><br>"Quand ils sont venus arrêter les Juifs, je n'étais pas juif, alors je n'ai<br>
rien dit.<br>Quand ils sont venus arrêter les francs-maçons, je n'étais pas franc-maçon,<br>alors je n'ai rien dit.<br>Quand ils sont venus arrêter les démocrates, je ne faisais pas de politique,<br>alors je n'ai rien dit.<br>
Maintenant ils sont en bas, venus pour m'arrêter moi, et je m'aperçois<br>qu'il est trop tard."<br>Un pasteur protestant pendant la seconde guerre mondiale.<br><br>“Le monde est dangereux non pas à cause de ceux qui font le mal, mais à cause de ceux qui regardent et laissent faire”<br>
(Albert Einstein)<br>
</div></div>