[Openswan Users] WRV200 <-> openswan key replacement problems

Christian Herzberg christian.herzberg at gmx.net
Tue Dec 11 11:31:33 EST 2007 

Hi to all,

i guess I found the problem with rekeying but I do not know why it is.

I set up a VPN from several Linksys WRV200 to one SLES10 openswan server.
I use presharedkeys for each peer an i have fix ip addresses on both ends.

This is my openswan config.

conn Hannover
        authby=secret
        auto=add
        #esp=aes-128-md5!
        left=80.81.yyy.yy
        leftid=80.81.yyy.yy
        leftsubnet=10.0.10.0/24
        right=87.139.yyy.yy
        rightsubnet=192.168.124.0/24
        type=tunnel
        pfs=yes
        compress=no
        ikelifetime=480m
        keylife=60m
        keyexchange=ike
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold

conn Celle
        authby=secret
        auto=add
        #esp=aes-128-md5!
        left=80.81.xxx.xx
        leftid=80.81.xxx.xx
        leftsubnet=10.0.10.0/24
        right=217.7.xxx.xxx
        rightsubnet=192.168.121.0/24
        type=tunnel
        pfs=yes
        compress=no
        ikelifetime=480m
        keylife=60m
        keyexchange=ike
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold

Hier is the config of the WRV200:

Key Exchange           =  Auto
Operation Mode         =  main
ISAKMP Encryption      =  3DES
ISAKMP Authentica.     =  MD5
ISAKMP DH Group        =  Group 2: 1024-bits
ISAKMP Key Lifetime(s) =  288000
PFS                    =  enable
IPSec Encryption Method=  3DES
IPSec Authentication M.=  MD5
IPSec DH Group         =  Group 2: 1024-bits
IPSec Key Lifetime(s)  =  3600
Pre-Shared Key         =  aaaaaaaaaaaaaaaaaaaa

The vpn is comming up and is running without any error. After the keylifetime I get this log entries.

SLES10 openswan:

Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: ignoring informational payload, type INVALID_MESSAGE_ID
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: received and ignored informational message
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: received and ignored informational message
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #337634: max number of retransmissions (2) reached STATE_QUICK_I1
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #337634: starting keying attempt 272 of an unlimited number
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #337681: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #337634 {using isakmp#336566}
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #336566: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #336566: received and ignored informational message


and on the WRV200 site:

403   [Tue 17:27:39]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
404   [Tue 17:27:49]  "TunnelA" #924: IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
405   [Tue 17:27:49]  "TunnelA" #924: no acceptable Proposal in IPsec SA
406   [Tue 17:27:49]  "TunnelA" #924: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.81.242.54:500
407   [Tue 17:27:51]  "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x10548c8a (perhaps this is a duplicated packet)
408   [Tue 17:27:51]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
409   [Tue 17:27:58]  "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x7c8d0e6c (perhaps this is a duplicated packet)
410   [Tue 17:27:58]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
411   [Tue 17:27:58]  "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x684fe8e2 (perhaps this is a duplicated packet)
412   [Tue 17:27:58]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
413   [Tue 17:28:12]  "TunnelA" #925: IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
414   [Tue 17:28:12]  "TunnelA" #925: no acceptable Proposal in IPsec SA
415   [Tue 17:28:12]  "TunnelA" #925: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.81.242.54:500
416   [Tue 17:28:18]  "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x7c8d0e6c (perhaps this is a duplicated packet)
417   [Tue 17:28:18]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
418   [Tue 17:28:23]  "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xae3a1552 (perhaps this is a duplicated packet)
419   [Tue 17:28:23]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500

My guess is that the problem is comming from my SLES10 openswan site because of the fact that the wrv is saying "IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag". But why did the openswan AES-128 instat of 3DES?

Thanks for any idea.

Cheers
Christian

More information about the Users mailing list