[Openswan Users] Not passing the "STATE_QUICK_I1: initiate"
Paul Wouters
paul at xelerance.com
Tue Nov 8 06:59:21 CET 2005
On Mon, 7 Nov 2005, Oliver Schulze L. wrote:
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1536}
> 002 "ipsec01" #1588: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
> isakmp#1587}
> 117 "ipsec01" #1588: STATE_QUICK_I1: initiate
> 010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 20s for
> response
>
> 1. You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some
> similar misconfiguration.
Can can explicitely set:
ike=3des-md5
esp=3des-md5
or exchange md5 for sha1 in the above lines
> 2. Your access lists are set up wrong on the PIX. For example, access-list
> FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 will
> work, where access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host
> 202.0.45.170 while it appears to do to the same thing, will cause problems at
> this point when the ?
> <http://wiki.openswan.org/index.php/ISAKMP?action=create>_ISAKMP_ phase has
> finished, and the actual establishing of the tunnel begins.
For this you will need the logs on the other end. As suggested by Andy, you
can also try pfs=no.
Paul
--
"Happiness is never grand"
--- Mustapha Mond, World Controller (Brave New World)
More information about the Users
mailing list