[Openswan Users] STATE_QUICK_I1 stuck

Mon Jan 9 14:44:52 CET 2006

Hi there

I have been looking on the web and your mailing list but have not gotten any real answers to my problem yet.

I get the following error message when trying to start up my IPSec Tunnel. I am trying to do this with PSK. Now most of the links I got on the net states that if it stucks at STATE_QUICK_I1, it is because the subnets are incorrect. I have checked my etc/ipsec.d/policy/ files and they look fine.

WHAT are the common causes of OpenSwan stuck at STATE_QUICK_I1

My ipsec.conf file looks as follows

include /etc/ipsec.d/examples/no_oe.conf

# basic configuration
config setup
        interfaces="ipsec0=eth0"
        klipsdebug=all
        plutodebug=all

# Add connections here

conn tunnelipsec
        type=tunnel
        left=10.3.1.9                              # Local ip
        leftsubnet=10.3.1.0/24   #Local network
        right=10.100.10.111             #Remote ip address
        rightsubnet=155.236.47.0/24         # Remote network
        authby=secret
        auto=add
        pfs=no

[root at bb ~]# ipsec auto --verbose --up tunnelipsec
002 "tunnelipsec" #15: initiating Main Mode
104 "tunnelipsec" #15: STATE_MAIN_I1: initiate
003 "tunnelipsec" #15: received Vendor ID payload [Dead Peer Detection]
002 "tunnelipsec" #15: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "tunnelipsec" #15: STATE_MAIN_I2: sent MI2, expecting MR2
002 "tunnelipsec" #15: I did not send a certificate because I do not have one.
002 "tunnelipsec" #15: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "tunnelipsec" #15: STATE_MAIN_I3: sent MI3, expecting MR3
002 "tunnelipsec" #15: Main mode peer ID is ID_IPV4_ADDR: '10.100.10.111'
002 "tunnelipsec" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "tunnelipsec" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
002 "tunnelipsec" #17: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#15}
117 "tunnelipsec" #17: STATE_QUICK_I1: initiate
010 "tunnelipsec" #17: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "tunnelipsec" #17: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "tunnelipsec" #17: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "tunnelipsec" #17: starting keying attempt 2 of an unlimited number, but releasing whack

My ipsec.secrets looks as follows

10.3.1.9 10.100.10.111 : PSK "test"

Got this from my barf -- Does this mean that the Secret Keys does not match as I have set them both to "test"

Jan  9 14:22:00 bb pluto[27503]: | actually looking for secret for 10.3.1.9->10.
100.10.111 of kind PPK_PSK
Jan  9 14:22:00 bb pluto[27503]: | 1: compared PSK 10.100.10.111 to 10.3.1.9 / 1
0.100.10.111 -> 2
Jan  9 14:22:01 bb pluto[27503]: | 2: compared PSK 10.3.1.9 to 10.3.1.9 / 10.100
.10.111 -> 6
Jan  9 14:22:01 bb pluto[27503]: | best_match 0>6 best=0x80f8440 (line=1)
Jan  9 14:22:01 bb pluto[27503]: | concluding with best_match=6 best=0x80f8440 (
lineno=1)

DISCLAIMER: The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. SWIFTNET and any of its subsidiaries each reserve the right to monitor all e-mail communications through its networks. Thank you.