[Openswan Users] OpenSWAN to PIX woes
arno van der walt
vex0r2002 at hotmail.com
Tue Aug 17 22:41:41 CEST 2004
Hey guys
I'm testing something in my lab before putting in into production and I'm
stuck.
>From my debugs this must be an ipsec proposal issue but for the life of me
everything looks fine.
I've been at this for 18 hours straight...so I'm possibly missing the
obvious.
I have copied the ipsec.barf here ===> http://65.96.55.101/ipsec.barf
My pix is configured as follows:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address FREESWAN-VPN
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 10.5.1.2
crypto map mymap 10 set transform-set myset
crypto map mymap interface intf2
isakmp enable intf2
isakmp key ******** address 10.5.1.2 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp peer ip 10.5.1.2 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800
Here is an excerpt from the pix debug:
1
crypto_isakmp_process_block:src:10.5.1.2, dest:172.16.1.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2808959208
ISAKMP : Checking IPSec proposal 0
ISAKMP: transform 0, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-MD5IPSEC(validate_proposal): invalid
transform proposal flags -- 0x4
ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 1, ESP_3DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: authenticator is HMAC-SHAIPSEC(validate_proposal): transform
proposal (prot 3, trans 3, hmac_alg 2) not supported
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:10.5.1.2, dest:172.16.1.1 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xa76d50e8
crypto_isakmp_process_block:src:10.5.1.2, dest:172.16.1.1 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
Any help is appreciated!!! It must be the transform set...right? But what is
wrong on it??? I'm stumped.
Thanks
Arno
_________________________________________________________________
Pop-up ads annoying you? Execute them with MSN Toolbar!
http://toolbar.msn.co.za?DI=1054&XAPID=2083
More information about the Users
mailing list