[Openswan Users]
Fedora client to Sentinel server - unable to setup VPN
Davide Bolcioni
db-ipsec at 3di.it
Wed Feb 15 13:04:52 CET 2006
Greetings,
I am attempting to setup a VPN between Fedora Core 3
openswan-2.4.4-0.FC3.1 and a (supposedly) Sentinel server.
I was supplied with a configuration which ought to work, but
my problem is that, after ISAKMP setup, initiation fails:
[root at host ~]# ipsec auto --up c
104 "c" #1: STATE_MAIN_I1: initiate
003 "c" #1: received Vendor ID payload [Openswan (this version) 2.4.4
X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "c" #1: received Vendor ID payload [Dead Peer Detection]
003 "c" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "c" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "c" #1: NAT-Traversal: Result using 3: i am NATed
108 "c" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "c" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "c" #2: STATE_QUICK_I1: initiate
010 "c" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "c" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "c" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable response to our first Quick Mode message: perhaps peer likes
no proposal
000 "c" #2: starting keying attempt 2 of an unlimited number, but
releasing whack
A look in /var/log/debug brought my attention to this:
host pluto[8086]: | received encrypted packet from <sentinel IP>:4500
...
host pluto[8086]: | ***parse ISAKMP Hash Payload:
host pluto[8086]: | next payload type: ISAKMP_NEXT_N
host pluto[8086]: | length: 20
host pluto[8086]: | ***parse ISAKMP Notification Payload:
host pluto[8086]: | next payload type: ISAKMP_NEXT_NONE
host pluto[8086]: | length: 12
host pluto[8086]: | DOI: ISAKMP_DOI_IPSEC
host pluto[8086]: | protocol ID: 1
host pluto[8086]: | SPI size: 0
host pluto[8086]: | Notify Message Type: INVALID_MESSAGE_ID
host pluto[8086]: "c" #1: ignoring informational payload, type
INVALID_MESSAGE_ID
host pluto[8086]: | processing informational INVALID_MESSAGE_ID (9)
host pluto[8086]: "c" #1: received and ignored informational message
host pluto[8086]: | complete state transition with STF_IGNORE
but I cannot tell if this is significant, my only clue is that it seems
to give up at this point, and what the problem may be. I verified that
my firewall, the one doing the NAT, is not stopping any packet going
to the sentinel IP, just in case.
Thank you for your consideration
--
Paranoia is an afterthought.
More information about the Users
mailing list