[Openswan Users] When i try to build a IPSec connection, i got EVENT_CRYPTO_FAILED and discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_R1

Paul Wouters paul at xelerance.com
Mon Aug 13 04:35:12 EDT 2007


On Mon, 13 Aug 2007, mix wrote:

Try adding nhelpers=0 to "config setup".

Paul

> Date: Mon, 13 Aug 2007 16:08:39 +0800
> From: mix <mix at cipherium.com.tw>
> To:  <users at openswan.org>, mix <mix at cipherium.com.tw>
> Subject: [Openswan Users] When i try to build a IPSec connection,
>     i got EVENT_CRYPTO_FAILED and discarding packet received during
>     asynchronous work (DNS or crypto) in STATE_MAIN_R1
>
>
>  *Hello guys
>
> I got a problem that can not resolve.
> When i try to build a IPSec connection with kernel 2.6.16.26 / openswan 2.4.9
> I got a EVENT_CRYPTO_FAILED, and don't know how to make it work.
> Can someone help me how to do?
>
> My network topology
> windows client (IP 10.1.1.2/255.255.255.0)  ----- linux with openswan
> 2.4.9(10.1.1.1/255.255.255.0 eth1) ------ 192.168.5.228(eth0) ------- gw -------
> internet
>
>
> Many thanks.
>
> message from ipsec whack --status*
>
> 000 interface ipsec0/eth1 10.1.1.1
> 000 %myid = (none)
> 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
> 000
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
> keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128,
> keysizemax=128
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
> attrs={0,0,0}
> 000
> 000 "conn_10.1.1.2": 0.0.0.0/0===10.1.1.1...10.1.1.2; unrouted; eroute owner: #0
> 000 "conn_10.1.1.2":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "conn_10.1.1.2":   ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 600s;
> rekey_fuzz: 100%; keyingtries: 15
> 000 "conn_10.1.1.2":   policy: PSK+ENCRYPT+TUNNEL+DONTREKEY+failureDROP; prio:
> 32,0; interface: eth1; encap: esp;
> 000 "conn_10.1.1.2":   dpd: action:clear; delay:10; timeout:15;
> 000 "conn_10.1.1.2":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "conn_10.1.1.2":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
> 000 "conn_10.1.1.2":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
> 000
> 000 #3: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
> *EVENT_CRYPTO_FAILED* in 245s; nodpd
> 000 #1: "conn_10.1.1.2":500 STATE_MAIN_R1 (sent MR1, expecting MI2);
> *EVENT_CRYPTO_FAILED* in 44s; nodpd
>
>
> *message from pluto debug log*
>
> "conn_10.1.1.2" #1: discarding packet received during asynchronous work (DNS or
> crypto) in STATE_MAIN_R1
> | next event EVENT_PENDING_PHASE2 in 92 seconds
> |
> | *received 184 bytes from 10.1.1.2:500 on eth1 (port=500)
> |   3e 60 3a 91  56 e2 e1 d1  31 8a 2a d1  77 81 d3 90
> |   04 10 02 00  00 00 00 00  00 00 00 b8  0a 00 00 84
> |   6c 52 0f 65  6d ca 04 e2  e5 31 0c 56  13 67 5f 4b
> |   80 44 36 d0  6f fd 98 50  94 64 97 02  b2 3f 29 c8
> |   b5 6d 4c 45  80 ce 6f 49  7c eb 8c cc  1f 8b 84 26
> |   a7 65 a8 97  65 f9 5c fa  99 09 e7 f7  b6 f9 76 0f
> |   02 66 5d 2c  76 3a 47 2c  b5 89 8c f7  f8 4e 83 3d
> |   43 0b 47 83  bc fa 35 0a  b9 fb 0d 71  22 70 90 36
> |   15 22 e9 a8  17 62 66 1f  46 a2 09 66  ac fc 3c 49
> |   a2 b6 b6 bb  68 0c d7 e0  c6 a9 d5 00  ba 0a 81 33
> |   00 00 00 18  da 62 08 ce  ec 19 7c db  ec da 12 51
> |   f0 b3 e0 8a  be 25 03 61
> | **parse ISAKMP Message:
> |    initiator cookie:
> |   3e 60 3a 91  56 e2 e1 d1
> |    responder cookie:
> |   31 8a 2a d1  77 81 d3 90
> |    next payload type: ISAKMP_NEXT_KE
> |    ISAKMP version: ISAKMP Version 1.0
> |    exchange type: ISAKMP_XCHG_IDPROT
> |    flags: none
> |    message ID:  00 00 00 00
> |    length: 184
> |  processing packet with exchange type=ISAKMP_XCHG_IDPROT (2)
> | ICOOKIE:  3e 60 3a 91  56 e2 e1 d1
> | RCOOKIE:  31 8a 2a d1  77 81 d3 90
> | peer:  0a 01 01 02
> | state hash entry 14
> | peer and cookies match on #1, provided msgid 00000000 vs 00000000
> | state object #1 found, in STATE_MAIN_R1
> | processing connection conn_10.1.1.2
>
>
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list