[Openswan Users] Not passing the "STATE_QUICK_I1: initiate"

Andy fs at globalnetit.com
Mon Nov 7 18:54:04 CET 2005 

The Wiki is oversimplifying, there are many more than 2 conditions that
can cause this. Another one that I often run into is if PFS is set
differently. Try to test with pfs=yes and pfs=no, you may get lucky.

For sure though, something doesn't match between your configuration and
the Cisco. It's not responding because it doesn't like any proposal.

To debug it further, you'll need some help from the Cisco end - get the
Cisco config and post it here, along with your config, we may be able to
help. Also, try to enable debug for ipsec on the Cisco and see what that
tells us.


On Mon, 2005-11-07 at 18:48 -0300, Oliver Schulze L. wrote:
> Hi,
> I'm trying to connect RH9 <-> Cisco, I have another thread in the list
> named "[Openswan Users] Connecting RH9 <-> Cisco", but I created
> this one because I have a more specific question.
> 
> Here is my output:
> # ipsec auto --verbose --up ipsec01
> 002 "ipsec01" #1587: initiating Main Mode
> 104 "ipsec01" #1587: STATE_MAIN_I1: initiate
> 002 "ipsec01" #1587: transition from state STATE_MAIN_I1 to state 
> STATE_MAIN_I2
> 106 "ipsec01" #1587: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "ipsec01" #1587: received Vendor ID payload [Cisco-Unity]
> 003 "ipsec01" #1587: received Vendor ID payload [Dead Peer Detection]
> 003 "ipsec01" #1587: ignoring unknown Vendor ID payload 
> [56e1df657ba6c134da7f5ed33ba2851c]
> 003 "ipsec01" #1587: received Vendor ID payload [XAUTH]
> 002 "ipsec01" #1587: I did not send a certificate because I do not have 
> one.
> 002 "ipsec01" #1587: transition from state STATE_MAIN_I2 to state 
> STATE_MAIN_I3
> 108 "ipsec01" #1587: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "ipsec01" #1587: Main mode peer ID is ID_IPV4_ADDR: '10.200.200.2'
> 002 "ipsec01" #1587: transition from state STATE_MAIN_I3 to state 
> STATE_MAIN_I4
> 004 "ipsec01" #1587: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
> group=modp1536}
> 002 "ipsec01" #1588: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using 
> isakmp#1587}
> 117 "ipsec01" #1588: STATE_QUICK_I1: initiate
> 010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 20s for 
> response
> 010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 40s for 
> response
> 
> The problem is that I don't get pass the:
>     117 "ipsec01" #1588: STATE_QUICK_I1: initiate
> message. Reading further, I found this page:
>     http://wiki.openswan.org/index.php/CiscoPIX
> that says that it may be one of two options:
> 
> 1. You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some 
> similar misconfiguration.
> 2. Your access lists are set up wrong on the PIX. For example, 
> access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 
> 255.255.255.0 will work, where access-list FREESWAN-VPN permit ip 
> 10.7.3.0 255.255.255.0 host 202.0.45.170 while it appears to do to the 
> same thing, will cause problems at this point when the ? 
> <http://wiki.openswan.org/index.php/ISAKMP?action=create>_ISAKMP_ phase 
> has finished, and the actual establishing of the tunnel begins.
> 
> And my question is, how can I know if my problem is #1 or #2?
> How can I debug further?
> If my problem is #2, is there a solution without the need to modify the 
> Cisco?
> 
> Many thanks
> Oliver
> 
-- 
Andy <fs at globalnetit.com>

More information about the Users mailing list