[Openswan Users] responder-initiator assimetry (blocked at QI)
Paul Wouters
paul at xelerance.com
Tue Sep 13 17:20:11 CEST 2005
On Tue, 13 Sep 2005, Albert Agustí wrote:
> (openswan), but a lot of messages of QI get on the log at central site.
> Openswan sistem is unable to negotiate the tunnels (for all connections,
> log shows a lot of line like those)
>
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: max number of
> retransmissions (2) reached STATE_QUICK_I1
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: starting
> keying attempt 206 of an unlimited number
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13226: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #13194 {using isakmp#12748}
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: ignoring
> informational payload, type NO_PROPOSAL_CHOSEN
> Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: received and
> ignored informational message
>
> Note : Main Mode looks completed, but as soon as it's initiated, log
> shows :
>
> no IKE algorithms for this connection
>
> When openswan acts as a responder, no problem to get IPSE SA, and
> communication works, so there is a feasible proposal between peers, and
> I as said it works on the other direction, but I'm trying to solve
> because I suspect that messages like :
>
> can not start crypto helper: failed to find any available worker
It seems like the Cisco is configured more specifically then Openswan.
So when the Cisco initiates, openswan responds fine, but when openswan
rekeys or initiates, the cisco does not allow that proposal. This can
happen when the Cisco is using PFS=yes, while openswan uses PFS=no. Since
openswan always allows PFS, even if it is set to "no", but it will use
the setting in its request when sending.
So double check your configuration for such discrependancies. Also,
Openswan normally starts asking for aes, then 3des. If the Cisco just says
"no" at the first proposal, you won't be able to send it another proposal.
To avoid this issue, use the ike= and esp= lines to send the exact matching
proposal as the first proposal to the Cisco.
Paul
More information about the Users
mailing list