[Openswan Users]

aheesh nagraj aheesh at gmail.com
Wed Jan 11 18:42:02 CET 2006


Hi Paul,

               Finally I got my ipsec tunnel established. phew !!!!

But this time used 2.6.9 and 2.6.10 fedora systems and both ISAKMP & IPSEC
SA got established without a hitch.

======================================================================================

000 "calvin": 172.22.65.0/24===172.22.65.226...172.22.65.56===172.22.65.0/24;
erouted; eroute owner: #2
000 "calvin":     srcip=unset; dstip=unset
000 "calvin":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "calvin":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 24,24; interface:
eth0;
000 "calvin":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "calvin":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #2: "calvin":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 28032s; newest IPSEC; eroute owner
000 #2: "calvin" esp.c7631a0d at 172.22.65.56 esp.5a182207 at 172.22.65.226
tun.0 at 172.22.65.56 tun.0 at 172.22.65.226
000 #1: "calvin":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2832s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
======================================================================================
Thanks
Aheesh



On 1/11/06, aheesh nagraj <aheesh at gmail.com> wrote:
>
> Hi paul,
>
> I changed the system i was using and now m using a fedora 2.6.5 and a
> 2.6.10 sys and now its able to create a isakmp SA, but getting stuck at
> quick mode as seen below.
>
> Thanks,
> Aheesh
>
> P.S. : I fail to understand why my previous attempts with a 2.6.10 and a
> 2.6.9 Fedora were resulting in rsa wrong key? error.
>
> ==================================================================
> [root at DT345 root]# ipsec auto --up wind
> 104 "wind" #1: STATE_MAIN_I1: initiate
> 003 "wind" #1: received Vendor ID payload [Openswan (this version) 2.3.1
> X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
> 003 "wind" #1: received Vendor ID payload [Dead Peer Detection]
> 106 "wind" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "wind" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "wind" #1: STATE_MAIN_I4: ISAKMP SA established
> 117 "wind" #2: STATE_QUICK_I1: initiate
> 003 "wind" #2: ERROR: netlink response for Add SA
> esp.951111a8 at 172.22.67.104 included errno 38: Function not implemented
> 032 "wind" #2: STATE_QUICK_I1: internal error
> 003 "wind" #2: ERROR: netlink response for Add SA
> esp.951111a8 at 172.22.67.104 included errno 38: Function not implemented
> 032 "wind" #2: STATE_QUICK_I1: internal error
> 010 "wind" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> 003 "wind" #2: ERROR: netlink response for Add SA
> esp.951111a8 at 172.22.67.104 included errno 38: Function not implemented
> 032 "wind" #2: STATE_QUICK_I1: internal error
> 010 "wind" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> 003 "wind" #2: ERROR: netlink response for Add SA
> esp.951111a8 at 172.22.67.104 included errno 38: Function not implemented
> 032 "wind" #2: STATE_QUICK_I1: internal error
> 031 "wind" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
> No acceptable response to our first Quick Mode message: perhaps peer likes
> no proposal
> 000 "wind" #2: starting keying attempt 2 of an unlimited number, but
> releasing whack
>
> ====================================================================
>
>
> On 1/10/06, Paul Wouters <paul at xelerance.com> wrote:
> >
> > On Tue, 10 Jan 2006, aheesh nagraj wrote:
> >
> > > I have 2 fedora 2.6 systmes with openswan-2.3.1 installed.
> >
> > yum update to get openswan-2.4.x
> >
> > > Jan 10 12:39:02 aheesh_sys pluto[3787]: "net-to-net" #97: Signature
> > check
> > > (on 172.22.67.104) failed (wrong key?); tried *AQOaBoHjT
> >
> > You eithe raccidentally switcheft left/rightrsasigkey= or you made a cut
> > and
> > paste error, or you are just using the wrong public keys. Run ipsec
> > showhostkey --left
> > on one end and ipsec showhostkey --right on the other end tr yagain.
> >
> > Paul
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060111/64deea00/attachment-0001.htm


More information about the Users mailing list