[Openswan Users] Not passing the "STATE_QUICK_I1: initiate"

Oliver Schulze L. oliver at samera.com.py
Mon Nov 7 18:48:17 CET 2005 

Hi,
I'm trying to connect RH9 <-> Cisco, I have another thread in the list
named "[Openswan Users] Connecting RH9 <-> Cisco", but I created
this one because I have a more specific question.

Here is my output:
# ipsec auto --verbose --up ipsec01
002 "ipsec01" #1587: initiating Main Mode
104 "ipsec01" #1587: STATE_MAIN_I1: initiate
002 "ipsec01" #1587: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
106 "ipsec01" #1587: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ipsec01" #1587: received Vendor ID payload [Cisco-Unity]
003 "ipsec01" #1587: received Vendor ID payload [Dead Peer Detection]
003 "ipsec01" #1587: ignoring unknown Vendor ID payload 
[56e1df657ba6c134da7f5ed33ba2851c]
003 "ipsec01" #1587: received Vendor ID payload [XAUTH]
002 "ipsec01" #1587: I did not send a certificate because I do not have 
one.
002 "ipsec01" #1587: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
108 "ipsec01" #1587: STATE_MAIN_I3: sent MI3, expecting MR3
002 "ipsec01" #1587: Main mode peer ID is ID_IPV4_ADDR: '10.200.200.2'
002 "ipsec01" #1587: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
004 "ipsec01" #1587: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
002 "ipsec01" #1588: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using 
isakmp#1587}
117 "ipsec01" #1588: STATE_QUICK_I1: initiate
010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 20s for 
response
010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 40s for 
response

The problem is that I don't get pass the:
    117 "ipsec01" #1588: STATE_QUICK_I1: initiate
message. Reading further, I found this page:
    http://wiki.openswan.org/index.php/CiscoPIX
that says that it may be one of two options:

1. You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some 
similar misconfiguration.
2. Your access lists are set up wrong on the PIX. For example, 
access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 
255.255.255.0 will work, where access-list FREESWAN-VPN permit ip 
10.7.3.0 255.255.255.0 host 202.0.45.170 while it appears to do to the 
same thing, will cause problems at this point when the ? 
<http://wiki.openswan.org/index.php/ISAKMP?action=create>_ISAKMP_ phase 
has finished, and the actual establishing of the tunnel begins.

And my question is, how can I know if my problem is #1 or #2?
How can I debug further?
If my problem is #2, is there a solution without the need to modify the 
Cisco?

Many thanks
Oliver

-- 
Oliver Schulze L.
<oliver at samera.com.py>

More information about the Users mailing list