[Openswan Users] responder-initiator assimetry (blocked at QI)

AlbertAgustí aagusti at serialnet.net
Tue Sep 13 18:28:56 CEST 2005


On Tue, 2005-09-13 at 16:20, Paul Wouters wrote:

> On Tue, 13 Sep 2005, Albert Agustí wrote:
> 
> > (openswan), but a lot of messages of QI get on the log at central site.
> > Openswan sistem is unable to negotiate the tunnels (for all connections,
> > log shows a lot of line like those)
> >
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: max number of
> > retransmissions (2) reached STATE_QUICK_I1
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: starting
> > keying attempt 206 of an unlimited number
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13226: initiating
> > Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #13194 {using isakmp#12748}
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: received and
> > ignored informational message
> >
> 
> It seems like the Cisco is configured more specifically then Openswan.
> So when the Cisco initiates, openswan responds fine, but when openswan
> rekeys or initiates, the cisco does not allow that proposal. This can
> happen when the Cisco is using PFS=yes, while openswan uses PFS=no. Since
> openswan always allows PFS, even if it is set to "no", but it will use
> the setting in its request when sending.
> So double check your configuration for such discrependancies. Also,
> Openswan normally starts asking for aes, then 3des. If the Cisco just says
> "no" at the first proposal, you won't be able to send it another proposal.
> To avoid this issue, use the ike= and esp= lines to send the exact matching
> proposal as the first proposal to the Cisco.
> 
> Paul


Thanks a lot Paul, 

Solved only with line esp=3des in ipsec.conf al tunnel definitions, so
You where right. I'm a bit surprised because I checked cisco
configurations and exact routers behave different in that sense. Changed
from openswan 2.2.0 to 2.3.0 (first offer).

Were that continuos retransmissions the cause of message logs like this
? 

can not start crypto helper: failed to find any available worker

Best regards
Albert Agustí

Avís important: Aquest missatge i qualsevol fitxer adjunt contenen informació confidencial d'ús exclusiu per al destinatari. Si vostè ha rebut aquest correu electrònic per error, l'informem que està totalment prohibida la divulgació, còpia o distribució i li preguem que ho notifiqui i que l'esborri immediatament. Gràcies per la seva col·laboració. Aviso importante: Este mensaje y cualquier fichero adjunto contiene información confidencial de uso exclusivo para el destinatario. Si usted ha recibido el mensaje por error, le informamos que está totalmente prohibida su divulgación, copia o distribución y le rogamos que lo notifique y que lo borre inmediatamente. Gracias por su colaboración. Important notice: This message and any files transmitted with it are confidential and intended solely for the individual to whom it is addressed. Unauthorized publication, use, dissemination, forwarding, printing or copying of this email and its associated attachments is stric
 tly prohibited. If you have received this email in error, please notify the sender and delete the original immediately. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050913/0ddd9742/attachment-0001.htm


More information about the Users mailing list