[Openswan Users] Problems CISCO PIX and OPENSWAN stuck in Phase 2

Javier Perez-Griffo javier.perez-griffo at ciemat.es
Mon Jun 5 18:23:35 CEST 2006 

Thanks for the quick response. Yes I getting the No_PROPOSAL_CHOSEN both
in the openswan machine and the pix router. What does that mean.

Regards, Javi

Log
--------------------------------------- 
Jun  5 17:19:18 dmz pluto[7958]: | p15 state object #1 found, in
STATE_MAIN_I4
Jun  5 17:19:18 dmz pluto[7958]: | processing connection ciemat
Jun  5 17:19:18 dmz pluto[7958]: | last Phase 1 IV:  84 f3 ab 64  03 0d
ed d2
Jun  5 17:19:18 dmz pluto[7958]: | current Phase 1 IV:  84 f3 ab 64  03
0d ed d2
Jun  5 17:19:18 dmz pluto[7958]: | computed Phase 2 IV:
Jun  5 17:19:18 dmz pluto[7958]: |   6b b1 bb f7  05 63 d2 69  8c 75 ba
04  91 3a 5b 43
Jun  5 17:19:18 dmz pluto[7958]: | received encrypted packet from
192.101.166.131:500
Jun  5 17:19:18 dmz pluto[7958]: | decrypting 88 bytes using algorithm
OAKLEY_3DES_CBC
Jun  5 17:19:18 dmz pluto[7958]: | decrypted:
Jun  5 17:19:18 dmz pluto[7958]: | next IV:  24 bf fc 05  ce cf 5f 79
Jun  5 17:19:18 dmz pluto[7958]: | ***parse ISAKMP Hash Payload:
Jun  5 17:19:18 dmz pluto[7958]: |    next payload type: ISAKMP_NEXT_N
Jun  5 17:19:18 dmz pluto[7958]: |    length: 20
Jun  5 17:19:18 dmz pluto[7958]: | ***parse ISAKMP Notification Payload:
Jun  5 17:19:18 dmz pluto[7958]: |    next payload type:
ISAKMP_NEXT_NONE
Jun  5 17:19:18 dmz pluto[7958]: |    length: 64
Jun  5 17:19:18 dmz pluto[7958]: |    DOI: ISAKMP_DOI_IPSEC
Jun  5 17:19:18 dmz pluto[7958]: |    protocol ID: 3
Jun  5 17:19:18 dmz pluto[7958]: |    SPI size: 4
Jun  5 17:19:18 dmz pluto[7958]: |    Notify Message Type:
NO_PROPOSAL_CHOSEN
Jun  5 17:19:18 dmz pluto[7958]: | removing 4 bytes of padding
Jun  5 17:19:18 dmz pluto[7958]: "lsk" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Jun  5 17:19:18 dmz pluto[7958]: | processing informational
NO_PROPOSAL_CHOSEN (14)
Jun  5 17:19:18 dmz pluto[7958]: "lsk" #1: received and ignored
informational message
Jun  5 17:19:18 dmz pluto[7958]: | complete state transition with
STF_IGNORE
Jun  5 17:19:18 dmz pluto[7958]: | next event EVENT_RETRANSMIT in 9
seconds for #2
Jun  5 17:19:27 dmz pluto[7958]: |
Jun  5 17:19:27 dmz pluto[7958]: | *time to handle event
Jun  5 17:19:27 dmz pluto[7958]: | handling event EVENT_RETRANSMIT
Jun  5 17:19:27 dmz pluto[7958]: | event after this is
EVENT_PENDING_PHASE2 in 97 seconds
Jun  5 17:19:27 dmz pluto[7958]: | processing connection lsk
Jun  5 17:19:27 dmz pluto[7958]: | handling event EVENT_RETRANSMIT for
192.101.166.131 "lsk" #2
Jun  5 17:19:27 dmz pluto[7958]: | sending 148 bytes for
EVENT_RETRANSMIT through eth0:500 to a.b.c.d:500:

El lun, 05-06-2006 a las 16:11 +0100, Brian Candler escribió:

> On Mon, Jun 05, 2006 at 05:04:37PM +0200, Javier Perez-Griffo wrote:
> > 117 "lsk" #2: STATE_QUICK_I1: initiate
> > 010 "lsk" #2: STATE_QUICK_I1: retransmission; will wait 20s for
> > response
> 
> When I've seen this it turned out that the far end didn't like our proposal
> (e.g. disagreement on cipher or PFS settings, or on the protected subnets).
> 
> tcpdump -v may show a NO_PROPOSAL_CHOSEN informative message. Debugging on
> the Cisco side will give you more detailled information: in IOS it's
> 
>   debug crypto isakmp
> 
> but I expect there's something similar on the PIX.
> 
> HTH,
> 
> Brian.

-- 
+----------------------------------------------------+
  Javier Perez-Griffo Callejon
  Network & Security Administrator
  CETA-lsk
  Paseo Ruiz de Mendoza, nº 8
  10200 Trujillo(Caceres), Spain
  Tel: +34 927321934 
  Email: Javier.Perez-Griffo at lsk.es
+----------------------------------------------------+
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060605/35fb9a91/attachment.htm

More information about the Users mailing list