[Openswan Users] SA established but not ping

sasa sasa at shoponweb.it
Thu Jan 5 10:59:55 CET 2006 

Hi, the problem is on the router xdsl because the NAT on the router is 
enable, now I have disable NAT on the router and the problem is solved.
Thanks.

------
Salvatore.

----- Original Message ----- 
From: "sasa" <sasa at shoponweb.it>
To: "Paul Wouters" <paul at xelerance.com>
Cc: <users at openswan.org>
Sent: Tuesday, January 03, 2006 12:33 PM
Subject: Re: [Openswan Users] SA established but not ping


> ...sorry, the message complete on end-point 'right' is:
>
> [root at fw2 ~]# ipsec auto --add princ-cardito
> [root at fw2 ~]# ipsec auto --up princ-cardito
> 104 "princ-cardito" #2: STATE_MAIN_I1: initiate
> 010 "princ-cardito" #2: STATE_MAIN_I1: retransmission; will wait 20s for 
> response
> 010 "princ-cardito" #2: STATE_MAIN_I1: retransmission; will wait 40s for 
> response
> 010 "princ-cardito" #2: STATE_MAIN_I1: retransmission; will wait 40s for 
> response
> ...
> 031 "princ-cardito" #2: max number of retransmissions (20) reached 
> STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE 
> message
> 000 "princ-cardito" #2: starting keying attempt 2 of an unlimited number, 
> but releasing whack
>
> ..and end-point 'left':
>
> [root at test2 root]# ipsec auto --add princ-cardito
> [root at test2 root]# ipsec auto --up princ-cardito
> 104 "princ-cardito" #115: STATE_MAIN_I1: initiate
> 003 "princ-cardito" #115: ignoring unknown Vendor ID payload
> [4f457a7d4646466667725f65]
> 003 "princ-cardito" #115: received Vendor ID payload [Dead Peer Detection]
> 106 "princ-cardito" #115: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "princ-cardito" #115: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "princ-cardito" #115: STATE_MAIN_I4: ISAKMP SA established
> 117 "princ-cardito" #116: STATE_QUICK_I1: initiate
> 004 "princ-cardito" #116: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0xa21e8a67 <0x71ea11f9 xfrm=3DES_0-HMAC_MD5}
>
> thanks.
>
> ------
> Salvatore.
>
>
> ----- Original Message ----- 
> From: "Paul Wouters" <paul at xelerance.com>
> To: "sasa" <sasa at shoponweb.it>
> Cc: <users at openswan.org>
> Sent: Monday, January 02, 2006 6:58 PM
> Subject: Re: [Openswan Users] SA established but not ping
>
>
>> On Mon, 2 Jan 2006, sasa wrote:
>>
>>> "Paul Wouters" wrote:
>>> > Seems 5.6.7.8 is doing NAT
>>>
>>> ..ok but is very strange that:
>>>
>>> Jan  2 17:54:26 fw2 ipsec__plutorun: ...could not start conn 
>>> "princ-cardito"
>>>
>>> ..and then:
>>>
>>> Jan  2 17:54:49 fw2 pluto[5278]: "princ-cardito" #3: STATE_QUICK_R2: 
>>> IPsec
>>> SA established {ESP=>0x4e571584 <0x30c7f1ea xfrm=3DES_0-HMAC_MD5
>>> NATD=5.6.7.8:4500 DPD=none}
>>> ...
>>> 0    10.0.1.0/24   --> 192.168.0.0/24  --> tun0x1002 at 5.6.7.8
>>
>> Not really if NAT is involved. Initiating might work while responding 
>> might fail,
>> or visa versa, when assymtric routing with/without NAT is happening.
>>
>> Paul
>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>

More information about the Users mailing list