[Openswan Users] SA established but not ping

sasa sasa at shoponweb.it
Tue Jan 3 12:24:07 CET 2006


...on end-point 'left' I have:

[root at test2 root]# ipsec auto --add princ-cardito
[root at test2 root]# ipsec auto --up princ-cardito
104 "princ-cardito" #115: STATE_MAIN_I1: initiate
003 "princ-cardito" #115: ignoring unknown Vendor ID payload 
[4f457a7d4646466667725f65]
003 "princ-cardito" #115: received Vendor ID payload [Dead Peer Detection]
106 "princ-cardito" #115: STATE_MAIN_I2: sent MI2, expecting MR2
108 "princ-cardito" #115: STATE_MAIN_I3: sent MI3, expecting MR3
004 "princ-cardito" #115: STATE_MAIN_I4: ISAKMP SA established
117 "princ-cardito" #116: STATE_QUICK_I1: initiate
004 "princ-cardito" #116: STATE_QUICK_I2: sent QI2, IPsec SA established 
{ESP=>0xa21e8a67 <0x71ea11f9 xfrm=3DES_0-HMAC_MD5}

..on end-point 'right' I have:

[root at fw2 ~]# ipsec auto --add princ-cardito
[root at fw2 ~]# ipsec auto --up princ-cardito
104 "princ-cardito" #2: STATE_MAIN_I1: initiate
010 "princ-cardito" #2: STATE_MAIN_I1: retransmission; will wait 20s for 
response
010 "princ-cardito" #2: STATE_MAIN_I1: retransmission; will wait 40s for 
response
010 "princ-cardito" #2: STATE_MAIN_I1: retransmission; will wait 40s for 
response

???
thanks again.

------
Salvatore.

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "sasa" <sasa at shoponweb.it>
Cc: <users at openswan.org>
Sent: Monday, January 02, 2006 6:58 PM
Subject: Re: [Openswan Users] SA established but not ping


> On Mon, 2 Jan 2006, sasa wrote:
>
>> "Paul Wouters" wrote:
>> > Seems 5.6.7.8 is doing NAT
>>
>> ..ok but is very strange that:
>>
>> Jan  2 17:54:26 fw2 ipsec__plutorun: ...could not start conn 
>> "princ-cardito"
>>
>> ..and then:
>>
>> Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: STATE_QUICK_R2: 
>> IPsec
>> SA established {ESP=>0x4e571584 <0x30c7f1ea xfrm=3DES_0-HMAC_MD5
>> NATD=5.6.7.8:4500 DPD=none}
>> ...
>> 0    10.0.1.0/24   --> 192.168.0.0/24  --> tun0x1002 at 5.6.7.8
>
> Not really if NAT is involved. Initiating might work while responding 
> might fail,
> or visa versa, when assymtric routing with/without NAT is happening.
>
> Paul
> 



More information about the Users mailing list