[Openswan Users] Setup hangs on 'STATE_QUICK_I1: initiate'
Bruno Diniz
bruno.diniz at gmail.com
Tue Dec 6 16:35:31 CET 2005
Hi,
I'm trying to configure a road warrior node to access a private network
whose router I administer. My laptop is running openswan 2.4.0 and the
router has openswan 2.2.0. I configured both ends, but when I start the
connection, it gives me the following output and hangs:
root at amilcar:/etc# ipsec auto --verbose --up road-lcc-cluster64
002 "road-lcc-cluster64" #7: initiating Main Mode
104 "road-lcc-cluster64" #7: STATE_MAIN_I1: initiate
002 "road-lcc-cluster64" #7: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "road-lcc-cluster64" #7: STATE_MAIN_I2: sent MI2, expecting MR2
002 "road-lcc-cluster64" #7: I did not send a certificate because I do not
have one.
002 "road-lcc-cluster64" #7: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "road-lcc-cluster64" #7: STATE_MAIN_I3: sent MI3, expecting MR3
002 "road-lcc-cluster64" #7: Main mode peer ID is ID_FQDN: '@
cluster64.speed.dcc.ufmg.br'
002 "road-lcc-cluster64" #7: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "road-lcc-cluster64" #7: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1536}
002 "road-lcc-cluster64" #8: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#7}
117 "road-lcc-cluster64" #8: STATE_QUICK_I1: initiate
010 "road-lcc-cluster64" #8: STATE_QUICK_I1: retransmission; will wait 20s
for response
010 "road-lcc-cluster64" #8: STATE_QUICK_I1: retransmission; will wait 40s
for response
The two ipsec.conf files follow:
---> In the road warrior node (my laptop, for instance):
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.1 2005/07/26 12:28:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# interfaces=%defaultroute
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12<http://10.0.0.0/8,%25v4:192.168.0.0/16,%254:172.16.0.0/12>
conn road-lcc-cluster64
left=%defaultroute
leftid=@diniz.amilcar.lcc.ufmg.br
leftrsasigkey=...
right=150.164.254.225
rightsubnet=192.168.64.0/24
rightid=@cluster64.speed.dcc.ufmg.br
rightrsasigkey=...
rightnexthop=%defaultroute
authby=rsasig
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
---> In the gateway:
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# interfaces=%defaultroute
# nat_traversal=yes
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
conn road-lcc-cluster64
left=150.164.254.225
leftsubnet=192.168.64.0/24
leftid=@cluster64.speed.dcc.ufmg.br
leftrsasigkey=...
leftnexthop=%defaultroute
right=%any
rightnexthop=%defaultroute
rightid=@diniz.amilcar.lcc.ufmg.br
rightrsasigkey=...
authby=rsasig
auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
Thanks a lot,
Bruno.
--
Bruno Diniz de Paula
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051206/8c0e3c19/attachment-0001.htm
More information about the Users
mailing list