[Openswan Users] responder-initiator assimetry (blocked at QI)

Tue Sep 13 18:28:56 CEST 2005

On Tue, 2005-09-13 at 16:20, Paul Wouters wrote:

> On Tue, 13 Sep 2005, Albert Agustí wrote:
> 
> > (openswan), but a lot of messages of QI get on the log at central site.
> > Openswan sistem is unable to negotiate the tunnels (for all connections,
> > log shows a lot of line like those)
> >
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: max number of
> > retransmissions (2) reached STATE_QUICK_I1
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13194: starting
> > keying attempt 206 of an unlimited number
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #13226: initiating
> > Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #13194 {using isakmp#12748}
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
> > Sep 13 09:46:45 pluto[31826]: "vpn-sc-singuerlin" #12748: received and
> > ignored informational message
> >
> 
> It seems like the Cisco is configured more specifically then Openswan.
> So when the Cisco initiates, openswan responds fine, but when openswan
> rekeys or initiates, the cisco does not allow that proposal. This can
> happen when the Cisco is using PFS=yes, while openswan uses PFS=no. Since
> openswan always allows PFS, even if it is set to "no", but it will use
> the setting in its request when sending.
> So double check your configuration for such discrependancies. Also,
> Openswan normally starts asking for aes, then 3des. If the Cisco just says
> "no" at the first proposal, you won't be able to send it another proposal.
> To avoid this issue, use the ike= and esp= lines to send the exact matching
> proposal as the first proposal to the Cisco.
> 
> Paul

Thanks a lot Paul, 

Solved only with line esp=3des in ipsec.conf al tunnel definitions, so
You where right. I'm a bit surprised because I checked cisco
configurations and exact routers behave different in that sense. Changed
from openswan 2.2.0 to 2.3.0 (first offer).

Were that continuos retransmissions the cause of message logs like this
? 

can not start crypto helper: failed to find any available worker

Best regards
Albert Agustí

AvÃs important: Aquest missatge i qualsevol fitxer adjunt contenen informaciÃ³ confidencial d'Ãºs exclusiu per al destinatari. Si vostÃ¨ ha rebut aquest correu electrÃ²nic per error, l'informem que estÃ  totalment prohibida la divulgaciÃ³, cÃ²pia o distribuciÃ³ i li preguem que ho notifiqui i que l'esborri immediatament. GrÃ cies per la seva colÂ·laboraciÃ³. Aviso importante: Este mensaje y cualquier fichero adjunto contiene informaciÃ³n confidencial de uso exclusivo para el destinatario. Si usted ha recibido el mensaje por error, le informamos que estÃ¡ totalmente prohibida su divulgaciÃ³n, copia o distribuciÃ³n y le rogamos que lo notifique y que lo borre inmediatamente. Gracias por su colaboraciÃ³n. Important notice: This message and any files transmitted with it are confidential and intended solely for the individual to whom it is addressed. Unauthorized publication, use, dissemination, forwarding, printing or copying of this email and its associated attachments is stric
 tly prohibited. If you have received this email in error, please notify the sender and delete the original immediately. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050913/0ddd9742/attachment-0001.htm