[Openswan Users] {Spam?} "ISAKMP SA established" BUT "state transition function for STATE_QUICK_R0 failed"

=?gb2312?B?d2p0X2VyaWM=?= wjt_eric at 163.com
Tue Jul 12 16:44:24 CEST 2005


Hello,All!

I got a problem when try to init a L2TP_over_IPsec tunnel between WindowsXP &linux VPN gateway.

linux gw ip 192.168.10.152,windows client ip 192.168.10.103 auth by PSK,
openswan 2.3.1 on linux-2.4.20 with NAT-T support,l2tpd-0.69
config setup
#klipsdebug=none
plutodebug="control"
nat_traversal=yes
conn L2TP-PSK
#use a preshared key
#disable PFS for windows client
type=tunnel
authby=secret
pfs=no
#
#left means local
left=192.168.10.152
leftsubnet=192.168.10.0/24
leftprotoport=17/0
#
#remote user: %any for dyn ip
right=%any
rightprotoport=17/1701
#
auto=add
When I start the connect from WindowsXP,i got this in the /var/log/secure (not all of them ,just those lines i think important:)

Jul 11 15:39:49 vpn-router pluto[1710]: packet from 192.168.10.103:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000003]
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: responding to Main Mode from unknown peer 192.168.10.103
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.10.103'
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: sent MR3, ISAKMP SA established
******************* so far so good *******************************
Jul 11 15:39:49 vpn-router pluto[1710]: | *received 1300 bytes from 192.168.10.103:500 on eth0 (port=500)Jul 11 15:39:49 vpn-router pluto[1710]: | ICOOKIE: e0 d3 7f 60 b8 54 73 d9
Jul 11 15:39:49 vpn-router pluto[1710]: | RCOOKIE: 4f c5 62 4e 7a 47 98 df
Jul 11 15:39:49 vpn-router pluto[1710]: | peer: c0 a8 0a 67
Jul 11 15:39:49 vpn-router pluto[1710]: | state hash entry 5
Jul 11 15:39:49 vpn-router pluto[1710]: | peer and cookies match on #3, provided msgid d37b1763 vs 00000000
Jul 11 15:39:49 vpn-router pluto[1710]: | state object not found
Jul 11 15:39:49 vpn-router pluto[1710]: | ICOOKIE: e0 d3 7f 60 b8 54 73 d9
Jul 11 15:39:49 vpn-router pluto[1710]: | RCOOKIE: 4f c5 62 4e 7a 47 98 df
Jul 11 15:39:49 vpn-router pluto[1710]: | peer: c0 a8 0a 67
Jul 11 15:39:49 vpn-router pluto[1710]: | state hash entry 5
Jul 11 15:39:49 vpn-router pluto[1710]: | peer and cookies match on #3, provided msgid 00000000 vs 00000000
Jul 11 15:39:49 vpn-router pluto[1710]: | state object #3 found, in STATE_MAIN_R3
Jul 11 15:39:49 vpn-router pluto[1710]: | processing connection L2TP-PSK[3] 192.168.10.103
Jul 11 15:39:49 vpn-router pluto[1710]: | peer client is 192.168.10.103
Jul 11 15:39:49 vpn-router pluto[1710]: | peer client protocol/port is 17/1701
Jul 11 15:39:49 vpn-router pluto[1710]: | our client is 192.168.10.152
Jul 11 15:39:49 vpn-router pluto[1710]: | our client protocol/port is 17/0
*********************Error comes out!*************************************************
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: cannot respond to IPsec SA request because no connection is known for 192.168.10.152:17/0...192.168.10.103:17/1701

Jul 11 15:39:49 vpn-router pluto[1710]: | complete state transition with (null)
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: sending encrypted notification INVALID_ID_INFORMATION to 192.168.10.103:500
Jul 11 15:39:49 vpn-router pluto[1710]: "L2TP-PSK"[3] 192.168.10.103 #3: failed to build notification for spisize=0 
Jul 11 15:39:49 vpn-router pluto[1710]: | state transition function for STATE_QUICK_R0 failed: INVALID_ID_INFORMATION

so far as i know,i got a ISAKMP main mode success,but when client try to negotiate quick mode it failed.what wrong within the "1300 bytes from 192.168.10.103:500 "??

Thanks in advance!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050712/6aba22f3/attachment.htm


More information about the Users mailing list