[Openswan Users] CISCO heartburn

Jeff Herring jeffh at sldsi.com
Fri Jan 28 18:07:37 CET 2005 

Apologies if this has been asked here, I have found no answers in the 
archives...

I've updated to 2.3 / patched a 2.4.29 kernel / I have 30 tunnels working 
except 2
that both have Cisco equipment and this error when connecting...Other Cisco 
equipment works
Other none cisco stuff works...

protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0

I've tried...leftprotoport=17/500 & rightprotoport=17/500 with no luck...

from ipsec.conf....(Sanitized slightly)

version 2
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.

# basic configuration
config setup
         # THIS SETTING MUST BE CORRECT or almost nothing will work;
         interfaces="%defaultroute"
         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         klipsdebug=none
         plutodebug=none
         # Use auto= parameters in conn descriptions to control startup 
actions.
         #plutoload=%none
         #plutostart=%none
         uniqueids=yes

# defaults for subsequent connection descriptions
conn %default
         # How persistent to be in (re)keying negotiations (0 means very).
         keyingtries=0
         # RSA authentication with keys from DNS.
         keylife=8h
         ikelifetime=8h
         rekeymargin=1m
         rekeyfuzz=0%
         right=xxx.xxx.xxx.xxx <- hidden actual values are in file
         rightnexthop=xxx.xxx.xxx.xxx <- hidden actual values are in file
         auth=esp
         esp=3des-md5-96
         disablearrivalcheck=no


conn kilb-tun
         also=kilbcommon
         type=tunnel
         leftsubnet=172.17.18.0/24
         rightsubnet=10.100.0.0/16
         auto=add

conn kilbcommon
         left=216.12.345.678
         leftupdown=/usr/local/lib/ipsec/ipsecupdown
         #
         authby=secret
         auth=esp
         compress=no
         esp=3des-md5-96
         pfs=no

[root at slug etc]# uname -r
2.4.29

[root at slug etc]# ipsec --version
Linux Openswan U2.2.0/K2.3.0 (klips)
See `ipsec --copyright' for copyright information.


[root at slug etc]# ipsec auto --up --verbose kilb-tun
002 "kilb-tun" #376: initiating Main Mode
104 "kilb-tun" #376: STATE_MAIN_I1: initiate
002 "kilb-tun" #376: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "kilb-tun" #376: STATE_MAIN_I2: sent MI2, expecting MR2
003 "kilb-tun" #376: ignoring Vendor ID payload [Cisco-Unity]
003 "kilb-tun" #376: received Vendor ID payload [Dead Peer Detection]
003 "kilb-tun" #376: ignoring Vendor ID payload 
[574622b267463de27b0475ca9c424bd8]
003 "kilb-tun" #376: ignoring Vendor ID payload [XAUTH]
002 "kilb-tun" #376: I did not send a certificate because I do not have one.
002 "kilb-tun" #376: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "kilb-tun" #376: STATE_MAIN_I3: sent MI3, expecting MR3
003 "kilb-tun" #376: protocol/port in Phase 1 ID Payload must be 0/0 or 
17/500 but are 17/0
218 "kilb-tun" #376: STATE_MAIN_I3: INVALID_ID_INFORMATION
002 "kilb-tun" #376: sending encrypted notification INVALID_ID_INFORMATION 
to 216.12.345.678:500
010 "kilb-tun" #376: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "kilb-tun" #376: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "kilb-tun" #376: max number of retransmissions (2) reached 
STATE_MAIN_I3.  Possible authentication failure: no acceptable response to 
our first encrypted message
000 "kilb-tun" #376: starting keying attempt 2 of an unlimited number, but 
releasing whack

Anyone...I'm at a total loss...What's broken?


--------------------------------------
Jeff Herring  /  jeffh at sldsi.com
Seacoast Laboratory Data Systems, Inc.
--------------------------------------

More information about the Users mailing list