[Openswan Users] Not passing the "STATE_QUICK_I1: initiate"
Oliver Schulze L.
oliver at samera.com.py
Thu Nov 10 23:35:00 CET 2005
Its working! RH9 <-> Cisco = OK!
I'm finishing an installation guide for this kind of setup.
Thanks to you Paul and Andy for helping me. Could not
have done it without you.
Regards,
Oliver
Paul Wouters wrote:
>On Mon, 7 Nov 2005, Oliver Schulze L. wrote:
>
>
>
>>{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>>group=modp1536}
>>002 "ipsec01" #1588: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
>>isakmp#1587}
>>117 "ipsec01" #1588: STATE_QUICK_I1: initiate
>>010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 20s for
>>response
>>
>>1. You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some
>>similar misconfiguration.
>>
>>
>
>Can can explicitely set:
> ike=3des-md5
> esp=3des-md5
>
>or exchange md5 for sha1 in the above lines
>
>
>
>>2. Your access lists are set up wrong on the PIX. For example, access-list
>>FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 will
>>work, where access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host
>>202.0.45.170 while it appears to do to the same thing, will cause problems at
>>this point when the ?
>><http://wiki.openswan.org/index.php/ISAKMP?action=create>_ISAKMP_ phase has
>>finished, and the actual establishing of the tunnel begins.
>>
>>
>
>For this you will need the logs on the other end. As suggested by Andy, you
>can also try pfs=no.
>
>Paul
>
>
--
Oliver Schulze L.
<oliver at samera.com.py>
More information about the Users
mailing list