[Openswan Users] Problem with STATE_QUICK_I1.

marcos at dytz.com.br marcos at dytz.com.br
Mon Oct 10 14:54:33 CEST 2005

Hello guys,

After some struggle to get pass STATE_MAIN_I3 and having a ISAKMP SA
established, I finally got the following error message for STATE_QUICK_I1:

104 "1" #20: STATE_MAIN_I1: initiate
106 "1" #20: STATE_MAIN_I2: sent MI2, expecting MR2
108 "1" #20: STATE_MAIN_I3: sent MI3, expecting MR3
004 "1" #20: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "1" #21: STATE_QUICK_I1: initiate
003 "1" #21: up-host command exited with status 126
032 "1" #21: STATE_QUICK_I1: internal error
003 "1" #21: discarding duplicate packet; already STATE_QUICK_I1
010 "1" #21: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "1" #21: STATE_QUICK_I1: retransmission; will wait 40s for response
003 "1" #21: discarding duplicate packet; already STATE_QUICK_I1
031 "1" #21: max number of retransmissions (2) reached STATE_QUICK_I1.  No
acceptable response to our first Quick Mode message: perhaps peer likes no
000 "1" #21: starting keying attempt 2 of at most 5, but releasing whack

I searched in Google for what might be provoking the "up-host command exited
with status 126" and found only some code explaining what up-host was supposed
to do, but nothing telling what status 126 meant. Could anyone please give me
any hint on what might be aborting my connection and how to fix the eroute and
up-host problem.

Another thing is that every time I am running "ipsec verify", I am getting a
FAILED for the RSA private key although the key is there and my ipsec.secrets
just point to it as following:

: RSA key.pem "password"

And this would the output of the "verify":

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.0/K2.6.8-2-686 (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]

Any reason for the verify not finding the key? Did I miss something on my
ipsec.secrets file?

Any help would be great.



Yawl Internet       http://www.yawl.com.br/

Acesso Discado / ADSL / 24Hs
Hospedagem ASP, PHP, JSP, ColdFusion, MySQL

More information about the Users mailing list