[Openswan Users] Nat-t Openswan

Paul Wouters paul at xelerance.com
Tue Apr 20 23:51:32 CEST 2004 

On 20 Apr 2004, Filipe Mota wrote:

> 002 "fromnat" #5: ISAKMP SA established
> 004 "fromnat" #5: STATE_MAIN_I4: ISAKMP SA established
> 002 "fromnat" #6: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK
> 122 "fromnat" #6: STATE_QUICK_I1: initiate
> 010 "fromnat" #6: STATE_QUICK_I1: retransmission; will wait 20s for
> response
> 010 "fromnat" #6: STATE_QUICK_I1: retransmission; will wait 40s for
> response
> 031 "fromnat" #6: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal

The other side doesn't like the offer
 
> 000 "tonat"[2]:
> 192.168.39.0/24===212.13.39.72:4500...212.13.39.71:4500[192.168.40.132]===?
> 000 "tonat"[2]:   CAs: '%any'...'%any'
> 000 "tonat"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 1
> 000 "tonat"[2]:   policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth1;
> unrouted
> 000 "tonat"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #0; eroute
> owner: #0
> 000 "tonat"[2]:   IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
> 5_000-1-2, 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
> 000 "tonat"[2]:   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5,
> 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
> 000 "tonat"[2]:   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "tonat"[2]:   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
> 000 "tonat"[2]:   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
> 000 "tonat": 192.168.39.0/24===212.13.39.72...%virtual
> 000 "tonat":   CAs: '%any'...'%any'
> 000 "tonat":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 1
> 000 "tonat":   policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth1; unrouted
> 000 "tonat":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner:
> #0
> 000 "tonat":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2,
> 5_000-2-2, 5_000-1-1, 5_000-2-1, flags=-strict
> 000 "tonat":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5,
> 5_192-1_128-2, 5_192-2_160-2, 5_192-1_128-1, 5_192-2_160-1,
> 000 "tonat":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
> 000 "tonat":   ESP algorithms loaded: 3_168-1_128, 3_168-2_160,
> 000
> 000 #1: "tonat"[2] 212.13.39.71:4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 3231s; newest ISAKMP

I don't see the error where it denies the offer. 

It is probably better to make a "ipsec barf", this will contain all the
configuration information and complete log of the error. This would be
needed of both sides, (WITHOUT plutodebug or klipsdebug!!!!!). Put them
on a website, and give us a URL to it.

Paul

More information about the Users mailing list