[Openswan Users] Problems CISCO PIX and OPENSWAN stuck in Phase 2

Javier Perez-Griffo javier.perez-griffo at ciemat.es
Mon Jun 5 18:04:37 CEST 2006


It seems that I am not able to pass from phase 2. Any help its greatly
apreciated.

Un saludo, Javi

Error Message:

root at dmz:~#  ipsec auto --up --verbose ciemat
002 "ciemat" #1: initiating Main Mode
104 "ciemat" #1: STATE_MAIN_I1: initiate
002 "ciemat" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "ciemat" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ciemat" #1: received Vendor ID payload [XAUTH]
003 "ciemat" #1: received Vendor ID payload [Dead Peer Detection]
003 "ciemat" #1: received Vendor ID payload [Cisco-Unity]
003 "ciemat" #1: ignoring unknown Vendor ID payload
[9b35d5378f5c5dad4f7e1d9717df2231]
002 "ciemat" #1: I did not send a certificate because I do not have one.
002 "ciemat" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "ciemat" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "ciemat" #1: Main mode peer ID is ID_IPV4_ADDR: '192.101.166.131'
002 "ciemat" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "ciemat" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
002 "ciemat" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1}
117 "ciemat" #2: STATE_QUICK_I1: initiate
010 "ciemat" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "ciemat" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "ciemat" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "ciemat" #2: starting keying attempt 2 of an unlimited number, but
releasing whack

config file:

config setup
        interfaces="ipsec0=eth0"
        nat_traversal=yes
        uniqueids=yes
        klipsdebug = all
        plutodebug = all

conn lask
        type            = tunnel
        left            = 192.168.a.c
        leftnexthop     = 192.168.a.b
        leftsubnet      = c.d.e.f/24
        leftid          = c.d.e.f
        right           = w.r.y.z
        rightid         = w.r.y.z
        ike             = 3des-md5-96
        esp             = 3des-md5-96
        authby          = secret
        auth            = esp
        spibase		= 0x200
        keyexchange     = ike
        keylife         = 3600
        pfs             = no
        auto            = add

include /etc/ipsec.d/examples/no_oe.conf


More information about the Users mailing list