[Openswan Users] responder-initiator assimetry (blocked at QI)
AlbertAgustí
aagusti at serialnet.net
Tue Sep 13 11:15:01 CEST 2005
Hello,
I can initiate tunnels from remote sites to the tunnel concentrator
(openswan), but a lot of messages of QI get on the log at central site.
Openswan sistem is unable to negotiate the tunnels (for all connections,
log shows a lot of line like those)
Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: max number of
retransmissions (2) reached STATE_QUICK_I1
Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: starting
keying attempt 206 of an unlimited number
Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13226: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #13194 {using isakmp#12748}
Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: received and
ignored informational message
Note : Main Mode looks completed, but as soon as it's initiated, log
shows :
no IKE algorithms for this connection
When openswan acts as a responder, no problem to get IPSE SA, and
communication works, so there is a feasible proposal between peers, and
I as said it works on the other direction, but I'm trying to solve
because I suspect that messages like :
can not start crypto helper: failed to find any available worker
could be related to that massive retransmission of QI. I'm I right ?
The central system is running RHE 4.0 and Openswan 2.3.0, remote nodes
(office sites) are Cisco 837 (supporting 3DES). I've set up similar
scenarios with Cisco and Openswan and this behaviour does not show and
It works fine. The main difference in these scenario where This is
showing Is that Openswan Is not directly connected to LAN network It
tunnels. I mean :
LAN INSIDE ------ FIREWALL SYSTEM ---------- INTERMEDIATE LAN
----------- OPENSWAN SYSTEM ------------- ROUTER TO OUTSIDE ----------
WAN
In ipsec.conf tunnel conf look like :
conn vpn-sc-singuerlin
authby=secret
right=WAN IP address of remote node
rightid=same as right
rightsubnet=192.168.2.0/24
left=same as leftid
leftnexthop=router to outside Ip address
leftid=IP of openswan system at openswan-router network
leftsubnet=10.10.0.0/16 (LAN INSIDE)
auto=add
Of course LAN INSIDE is routed from Openswan system. I'm I missing
something important there ? Any clues on how to express correctly this
topology at ipsec.conf ?
Any help would be appreciated
Thanks in advance
Albert
Agustí
AvÃs important: Aquest missatge i qualsevol fitxer adjunt contenen informació confidencial d'ús exclusiu per al destinatari. Si vostè ha rebut aquest correu electrònic per error, l'informem que està totalment prohibida la divulgació, còpia o distribució i li preguem que ho notifiqui i que l'esborri immediatament. Grà cies per la seva col·laboració. Aviso importante: Este mensaje y cualquier fichero adjunto contiene información confidencial de uso exclusivo para el destinatario. Si usted ha recibido el mensaje por error, le informamos que está totalmente prohibida su divulgación, copia o distribución y le rogamos que lo notifique y que lo borre inmediatamente. Gracias por su colaboración. Important notice: This message and any files transmitted with it are confidential and intended solely for the individual to whom it is addressed. Unauthorized publication, use, dissemination, forwarding, printing or copying of this email and its associated attachments is stric
tly prohibited. If you have received this email in error, please notify the sender and delete the original immediately. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050913/764170ce/attachment.htm
More information about the Users
mailing list