[Openswan Users] Fedora client to Sentinel server - unable to setup VPN

Davide Bolcioni db-ipsec at 3di.it
Wed Feb 15 13:04:52 CET 2006


Greetings,
I am attempting to setup a VPN between Fedora Core 3 
openswan-2.4.4-0.FC3.1 and a (supposedly) Sentinel server.

I was supplied with a configuration which ought to work, but
my problem is that, after ISAKMP setup, initiation fails:

[root at host ~]# ipsec auto --up c
104 "c" #1: STATE_MAIN_I1: initiate
003 "c" #1: received Vendor ID payload [Openswan (this version) 2.4.4 
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "c" #1: received Vendor ID payload [Dead Peer Detection]
003 "c" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "c" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "c" #1: NAT-Traversal: Result using 3: i am NATed
108 "c" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "c" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "c" #2: STATE_QUICK_I1: initiate
010 "c" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "c" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "c" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No 
acceptable response to our first Quick Mode message: perhaps peer likes 
no proposal
000 "c" #2: starting keying attempt 2 of an unlimited number, but 
releasing whack

A look in /var/log/debug brought my attention to this:

host pluto[8086]: | received encrypted packet from <sentinel IP>:4500
...
host pluto[8086]: | ***parse ISAKMP Hash Payload:
host pluto[8086]: |    next payload type: ISAKMP_NEXT_N
host pluto[8086]: |    length: 20
host pluto[8086]: | ***parse ISAKMP Notification Payload:
host pluto[8086]: |    next payload type: ISAKMP_NEXT_NONE
host pluto[8086]: |    length: 12
host pluto[8086]: |    DOI: ISAKMP_DOI_IPSEC
host pluto[8086]: |    protocol ID: 1
host pluto[8086]: |    SPI size: 0
host pluto[8086]: |    Notify Message Type: INVALID_MESSAGE_ID
host pluto[8086]: "c" #1: ignoring informational payload, type 
INVALID_MESSAGE_ID
host pluto[8086]: | processing informational INVALID_MESSAGE_ID (9)
host pluto[8086]: "c" #1: received and ignored informational message
host pluto[8086]: | complete state transition with STF_IGNORE

but I cannot tell if this is significant, my only clue is that it seems
to give up at this point, and what the problem may be. I verified that
my firewall, the one doing the NAT, is not stopping any packet going
to the sentinel IP, just in case.

Thank you for your consideration
-- 
Paranoia is an afterthought.


More information about the Users mailing list