[Openswan Users] Not passing the "STATE_QUICK_I1: initiate"

Oliver Schulze L. oliver at samera.com.py
Tue Nov 8 18:32:53 CET 2005 

Hi Andy and Paul,
it worked, ipsec0 is up!

May problem was indeed a policy mismatch, as Andy noted.
I had to setup like this:

        left=172.xx.219.14
        leftnexthop=172.xx.219.13
        leftsubnet=192.168.150.1/32
        right=10.xx.200.2
        rightnexthop=10.xx.200.1
        rightsubnet=10.1.254.63/32

ipsec started like this:
# /usr/sbin/ipsec auto --up ipsec01
104 "ipsec01" #1: STATE_MAIN_I1: initiate
106 "ipsec01" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ipsec01" #1: received Vendor ID payload [Cisco-Unity]
003 "ipsec01" #1: received Vendor ID payload [Dead Peer Detection]
003 "ipsec01" #1: ignoring unknown Vendor ID payload 
[56e1df6547da1ce2e04d274cda4f3d6f]
003 "ipsec01" #1: received Vendor ID payload [XAUTH]
108 "ipsec01" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "ipsec01" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
117 "ipsec01" #2: STATE_QUICK_I1: initiate
003 "ipsec01" #2: ignoring informational payload, type 
IPSEC_RESPONDER_LIFETIME
004 "ipsec01" #2: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0x22287613 <0x44cf8c33 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

All this is OK, but, I still have no ping.
My setup is rather obscure, I think.
Left:
Linux RH9, eth0 (Internet IP), eth0:1(private VLAN IP), eth1(local 
intranet with no hosts connected)

Right:
Cisco, acting as a VPN router to a intranet in 10.xx.254.63

The problem is that both routers, RH9 and Cisco, can only send packets. 
They don't
receive any response. I think it may be a problem with the firewall or 
route.
With ifconfig I saw this:
ipsec0    Link encap:Ethernet  HWaddr
          inet addr:172.xx.219.14  Mask:255.255.255.252
          UP RUNNING NOARP  MTU:16260  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1193 errors:0 dropped:43 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 b)  TX bytes:178950 (174.7 Kb)

Every time I ping, the TX dropped counter increases.

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use 
Iface
10.200.200.2    172.xx.219.13   255.255.255.255 UGH   0      0        0 eth0
172.xx.219.12   0.0.0.0         255.255.255.252 U     0      0        0 eth0
172.xx.219.12   0.0.0.0         255.255.255.252 U     0      0        0 
ipsec0
200.xx.36.xx      0.0.0.0         255.255.255.252 U     0      0        
0 eth0
192.168.150.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
10.xx.254.0      0.0.0.0         255.255.255.0   U     0      0        0 
ipsec0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         200.xx.xx.xx   0.0.0.0         UG    0      0        0 eth0

I don't know how a route -n in a working RH9 with openswan should
looks like.

When I found the solution, will post it here. Any help is welcome.

Thanks
Oliver


Andy wrote:

>On Tue, 2005-11-08 at 12:45 -0300, Oliver Schulze L. wrote:
>  
>
>>Hi,
>>I think there can be a problem this this config.
>>
>>The Cisco Guy(tm) is telling me that he only allows me to go to 1 
>>internal host
>>and not to the whole internal network. In the Cisco, only host 
>>10.1.254.63/32
>>is "published" in the ipsec
>>
>>I, in ipsec.conf, configure his internal network as:
>>rightsubnet=10.1.254.0/24
>>    
>>
>Your policy and his must match exactly. If his access list specifies
>10.1.254.63/32, that's what you need to set for your rightsubnet.
>Likewise for the internal network your side (leftsubnet).
>
>  
>
>>Another thing, don't know if this matters, but ipsec verify returns:
>>Checking your system to see if IPsec got installed and started correctly:
>>Version check and ipsec on-path                                 [OK]
>>Linux Openswan Ucvs2002Mar11_19:19:03/K2.1.2rc3 (klips)
>>Checking for IPsec support in kernel                            [OK]
>>Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
>>ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>>Checking that pluto is running                                  [OK]
>>Two or more interfaces found, checking IP forwarding            [OK]
>>Checking NAT and MASQUERADEing                                  [OK]
>>Checking for 'ip' command                                       [OK]
>>Checking for 'iptables' command                                 [OK]
>>Opportunistic Encryption Support                                [DISABLED]
>>
>>I'm not using RSA, just a PreSharedSecret, and
>>  authby=secret
>>in ipsec.conf
>>    
>>
>You don't need an RSA then.
>
>  
>
>>Will post more info in a few hours.
>>
>>Many thanks
>>Oliver
>>
>>Andy wrote:
>>
>>    
>>
>>>To debug it further, you'll need some help from the Cisco end - get the
>>>Cisco config and post it here, along with your config, we may be able to
>>>help. Also, try to enable debug for ipsec on the Cisco and see what that
>>>tells us.
>>> 
>>>
>>>      
>>>

-- 
Oliver Schulze L.
<oliver at samera.com.py>

More information about the Users mailing list