[Openswan Users] More on the Watchguard Firebox II issue

Jason Green jave27 at gmail.com
Fri Jan 27 15:06:47 CET 2006


I searched around a bit more and got OpenS/WAN to get a little further, but
I'm having new issues now.  I'm running openswan 2.4.0 on AMD64 Ubuntu
Breezy.  The linux box is being a Zyxell Firewall which has IPSec VPN
passthrough enabled.  So, when I say "my public ip", I mean the one assigned
to the firewall, not the linux box itself.  The linux box has a private ip
192.168.1.xxx address.


Here is the info I get from starting the ipsec service and running "ipsec
auto --up myconn":

104 "myconn" #1: STATE_MAIN_I1: initiate
003 "myconn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
method set to=108
106 "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "myconn" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
108 "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "myconn" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
117 "myconn" #2: STATE_QUICK_I1: initiate
010 "myconn" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "myconn" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 ""myconn"" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "myconn" #2: starting keying attempt 2 of at most 3, but releasing whack



Here's my ipsec.conf file:

# /etc/ipsec.conf - Openswan IPsec configuration file
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        nat_traversal=yes

# Add connections here
conn myconn
        type=tunnel
        compress=no
        keyingtries=3
        authby=secret
        auth=esp
        left=%defaultroute
        leftid=xxx.xxx.xxx.xxx   (my public IP)
        right=xxx.xxx.xxx.xxx    (company's public IP - Watchguard Firebox
II, version 7.x)
        rightsubnet=192.168.0.0/255.255.255.0      (company's internal IP
range)
        rightid=xxx.xxx.xxx.xxx    (company's public IP again)
        aggrmode=no
        auto=add
        esp=3des-md5
        ike=3des-md5
        pfs=yes

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



Here's the log on the Watchguard Monitor:

01/27/06 14:58  iked[169]:  FROM  <my public IP> IF-HDR* -C0B3901E ISA_HASH
01/27/06 14:58  iked[169]:  Received a packet for an unknown SA
01/27/06 14:58  iked[169]:  Received a packet for an unknown SA
01/27/06 14:58  iked[169]:  FROM <my public IP> MM-HDR   ISA_SA ISA_VENDORID
ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID ISA_VENDORID
01/27/06 14:58  iked[169]:  TO    <my public IP> MM-HDR   ISA_SA
ISA_VENDORID
01/27/06 14:58  iked[169]:  FROM  <my public IP> MM-HDR   ISA_KE ISA_NONCE
NAT-D NAT-D
01/27/06 14:58  iked[169]:  TO    <my public IP> MM-HDR   ISA_KE ISA_NONCE
NAT-D NAT-D
01/27/06 14:58  iked[169]:  CRYPTO ACTIVE after delay
01/27/06 14:58  iked[169]:  FROM  <my public IP> MM-HDR*# ISA_ID ISA_HASH
01/27/06 14:58  iked[169]:  TO    <my public IP> MM-HDR*# ISA_ID ISA_HASH
01/27/06 14:58  iked[169]:  FROM  <my public IP> QM-HDR*#-12573EF3 ISA_HASH
ISA_SA ISA_NONCE ISA_KE ISA_ID ISA_ID
01/27/06 14:58  iked[169]:  WARNING - No Matching IPSec Policy found for <my
public IP>
01/27/06 14:58  iked[169]:  ACTION - Verify VPN IPSec Policies for <my
public IP>
01/27/06 14:58  iked[169]:  get_ipsec_pref: Unable to find channel info for
remote(<my public IP>)
01/27/06 14:58  iked[169]:  Sending INVALID_ID_INFO message
01/27/06 14:58  iked[169]:  TO    <my public IP> IF-HDR*#-8E61875F ISA_HASH
ISA_NOTIFY
01/27/06 14:58  iked[169]:  Quick Mode processing failed



Hmm.. maybe it's on the Watchguard box, after reviewing these logs..
Although everything looks correct on that side.  Anyway, if anyone has any
suggestions, I'm about at my wits end on this issue.  Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060127/3f00a523/attachment.htm


More information about the Users mailing list