[Openswan Users]

Paul Wouters paul at xelerance.com
Wed Jun 21 16:50:46 CEST 2006


On Wed, 21 Jun 2006, Thibault Jouan wrote:

> # ipsec auto --up truc
> 104 "truc" #1: STATE_MAIN_I1: initiate
> 003 "tructruc" #1: ignoring unknown Vendor ID payload
> [248982ac5f111a4ea52807e91f893e1eb00800310000000d00000403]
> 003 "truc" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 106 "truc" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "truc" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "truc" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> 117 "truc" #2: STATE_QUICK_I1: initiate
> 010 "truc" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "truc" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "truc" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No
> acceptable response to our first Quick Mode message: perhaps peer likes no
> proposal
> 000 "truc" #2: starting keying attempt 2 of an unlimited number, but releasing
> whack

The other end is rejecting your phase 2 proposal. try different esp= settings.

>  and the traffic on the network interface is :
>
> 12:35:59.546987 IP (tos 0x0, ttl  64, id 0, offset 0, flags [DF], proto: UDP
> (17), length: 320) 1.2.3.4.isakmp > 5.6.7.8.isakmp: isakmp 1.0 msgid  cookie
> ->: phase 1 I ident: [|sa]

There is hardly ever any point in getting ipsec logs, most of it is encrypted.

>  I know that the endpoint 5.6.7.8 is a netscreen juniper 208 but I don't have
> any access to this equipment, I only know a little of his logs :
>
> Jun 20 09:11:01 FW-AUB-01 FW-AUB-01: NetScreen device_id=FW-AUB-01
> system-information-00536: IKE<194.206.90.82> Phase 2: No policy exists for the
> proxy ID received: local ID (<10.47.1.0>/<255.255.255.0>,<0>,<0>) remote ID
> (<192.168.1.0>/<255.255.255.0>,<0>,<0>) (2006-06-20 09:10:59)

So either you are using a wrong id, or your netscreen is lacking a phase 2
configuration.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list