[Openswan Users] Connection to Netscreen 500, PHASE 2 fails

Paul Wouters paul at xelerance.com
Fri Dec 7 00:22:35 EST 2007


On Thu, 6 Dec 2007, Michael Lavallée wrote:

> We are passing PHASE 1 without any problems that I can see, but things
> hang up on entering PHASE 2 and I can not tell from the log files what
> exactly is going on.
>
> I guess to start off with I should tell you the parameters I was given
> by them.
>
> PHASE1: AES 256, PSK, SHA-1, GROUP2, Lifetime 28 800 seconds.
> PHASE2: AES 256, SHA-1, GROUP2, Lifetime 3600 seconds, PFS YES.
>
> My configuration, from /etc/ipsec.d/partner.conf
>   auto=add
>   authby=secret
>   compress=no
>   ike=aes256-sha1-modp1024
>   esp=aes256-sha1
>   pfs=yes
>   left=xxx.xxx.205.212   #My box, Internet IP.
>   right=xxx.xxx.94.73     #Their box, Interne IP.
>
> This is what they said they configured their NetScreen as for our
> specific VPN:
>   set ike p1-proposal "mlavalle" preshare group2 esp aes256 sha-1 second
> 28800
>   set ike p2-proposal "mlavalle" group2 esp aes256 sha-1 second 3600
>   set ike gateway "mlavalle" address xxx.xxx.205.212 Main
> outgoing-interface "ethernet3/1:1" preshare "--snip--" proposal "mlavalle"
>   set vpn "mlavalle" gateway "mlavalle" no-replay tunnel idletime 0
> proposal "mlavalle"
>
> My box has a direct connection to the Internet, and acts as a gateway
> for the other workstations here, so I don't think NAT is an issue in
> this circumstance.  I also have a static Internet IP, as does the
> NetScreen I am trying to connect to.
>
> # ipsec auto --up partner
> 104 "partner" #8: STATE_MAIN_I1: initiate
> 003 "partner" #8: ignoring unknown Vendor ID payload
> [2c78d2631621ef645b510ec9202f31024d1560e50000000200000514]
> 003 "partner" #8: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> 106 "partner" #8: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "partner" #8: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "partner" #8: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
> 117 "partner" #9: STATE_QUICK_I1: initiate
> 010 "partner" #9: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "partner" #9: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "partner" #9: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal
> 000 "partner" #9: starting keying attempt 2 of an unlimited number, but
> releasing whack

So they don't like your config options it seems. Can you let them
initiate and see what the openswan box then logs. At least then we
can see the proposal it wants for phase2, and adjust it accordingly.

Paul


More information about the Users mailing list