[Openswan Users] OpenSWAN to PIX woes

arno van der walt vex0r2002 at hotmail.com
Tue Aug 17 22:41:41 CEST 2004 

Hey guys

I'm testing something in my lab before putting in into production and I'm 
stuck.

>From my debugs this must be an ipsec proposal issue but for the life of me 
everything looks fine.

I've been at this for 18 hours straight...so I'm possibly missing the 
obvious.

I have copied the ipsec.barf here ===> http://65.96.55.101/ipsec.barf

My pix is configured as follows:
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address FREESWAN-VPN
crypto map mymap 10 set pfs group2
crypto map mymap 10 set peer 10.5.1.2
crypto map mymap 10 set transform-set myset
crypto map mymap interface intf2
isakmp enable intf2
isakmp key ******** address 10.5.1.2 netmask 255.255.255.255 no-xauth 
no-config-mode
isakmp peer ip 10.5.1.2 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 5
isakmp policy 5 lifetime 28800




Here is an excerpt from the pix debug:

1
crypto_isakmp_process_block:src:10.5.1.2, dest:172.16.1.1 spt:500 dpt:500
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 2808959208

ISAKMP : Checking IPSec proposal 0

ISAKMP: transform 0, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      authenticator is HMAC-MD5IPSEC(validate_proposal): invalid 
transform proposal flags -- 0x4

ISAKMP (0): atts not acceptable. Next payload is 3
ISAKMP: transform 1, ESP_3DES
ISAKMP:   attributes in transform:
ISAKMP:      encaps is 1
ISAKMP:      SA life type in seconds
ISAKMP:      SA life duration (basic) of 28800
ISAKMP:      authenticator is HMAC-SHAIPSEC(validate_proposal): transform 
proposal (prot 3, trans 3, hmac_alg 2) not supported

ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:10.5.1.2, dest:172.16.1.1 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet
ISAKMP: resending last response
ISAKMP (0): retransmitting phase 2 (0/0)... mess_id 0xa76d50e8
crypto_isakmp_process_block:src:10.5.1.2, dest:172.16.1.1 spt:500 dpt:500
ISAKMP: phase 2 packet is a duplicate of a previous packet

Any help is appreciated!!! It must be the transform set...right? But what is 
wrong on it??? I'm stumped.

Thanks

Arno

_________________________________________________________________
Pop-up ads annoying you? Execute them with MSN Toolbar! 
http://toolbar.msn.co.za?DI=1054&XAPID=2083

More information about the Users mailing list