[Openswan Users] WRV200 <-> openswan key replacement problems
Christian Herzberg
christian.herzberg at gmx.net
Tue Dec 11 11:31:33 EST 2007
Hi to all,
i guess I found the problem with rekeying but I do not know why it is.
I set up a VPN from several Linksys WRV200 to one SLES10 openswan server.
I use presharedkeys for each peer an i have fix ip addresses on both ends.
This is my openswan config.
conn Hannover
authby=secret
auto=add
#esp=aes-128-md5!
left=80.81.yyy.yy
leftid=80.81.yyy.yy
leftsubnet=10.0.10.0/24
right=87.139.yyy.yy
rightsubnet=192.168.124.0/24
type=tunnel
pfs=yes
compress=no
ikelifetime=480m
keylife=60m
keyexchange=ike
dpddelay=30
dpdtimeout=120
dpdaction=hold
conn Celle
authby=secret
auto=add
#esp=aes-128-md5!
left=80.81.xxx.xx
leftid=80.81.xxx.xx
leftsubnet=10.0.10.0/24
right=217.7.xxx.xxx
rightsubnet=192.168.121.0/24
type=tunnel
pfs=yes
compress=no
ikelifetime=480m
keylife=60m
keyexchange=ike
dpddelay=30
dpdtimeout=120
dpdaction=hold
Hier is the config of the WRV200:
Key Exchange = Auto
Operation Mode = main
ISAKMP Encryption = 3DES
ISAKMP Authentica. = MD5
ISAKMP DH Group = Group 2: 1024-bits
ISAKMP Key Lifetime(s) = 288000
PFS = enable
IPSec Encryption Method= 3DES
IPSec Authentication M.= MD5
IPSec DH Group = Group 2: 1024-bits
IPSec Key Lifetime(s) = 3600
Pre-Shared Key = aaaaaaaaaaaaaaaaaaaa
The vpn is comming up and is running without any error. After the keylifetime I get this log entries.
SLES10 openswan:
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: ignoring informational payload, type INVALID_MESSAGE_ID
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: received and ignored informational message
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 11 17:28:10 DB1 pluto[12622]: "Hannover" #336566: received and ignored informational message
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #337634: max number of retransmissions (2) reached STATE_QUICK_I1
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #337634: starting keying attempt 272 of an unlimited number
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #337681: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #337634 {using isakmp#336566}
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #336566: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 11 17:28:11 DB1 pluto[12622]: "Hannover" #336566: received and ignored informational message
and on the WRV200 site:
403 [Tue 17:27:39] "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
404 [Tue 17:27:49] "TunnelA" #924: IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
405 [Tue 17:27:49] "TunnelA" #924: no acceptable Proposal in IPsec SA
406 [Tue 17:27:49] "TunnelA" #924: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.81.242.54:500
407 [Tue 17:27:51] "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x10548c8a (perhaps this is a duplicated packet)
408 [Tue 17:27:51] "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
409 [Tue 17:27:58] "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x7c8d0e6c (perhaps this is a duplicated packet)
410 [Tue 17:27:58] "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
411 [Tue 17:27:58] "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x684fe8e2 (perhaps this is a duplicated packet)
412 [Tue 17:27:58] "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
413 [Tue 17:28:12] "TunnelA" #925: IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
414 [Tue 17:28:12] "TunnelA" #925: no acceptable Proposal in IPsec SA
415 [Tue 17:28:12] "TunnelA" #925: sending encrypted notification NO_PROPOSAL_CHOSEN to 80.81.242.54:500
416 [Tue 17:28:18] "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x7c8d0e6c (perhaps this is a duplicated packet)
417 [Tue 17:28:18] "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
418 [Tue 17:28:23] "TunnelA" #797: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xae3a1552 (perhaps this is a duplicated packet)
419 [Tue 17:28:23] "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
My guess is that the problem is comming from my SLES10 openswan site because of the fact that the wrv is saying "IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag". But why did the openswan AES-128 instat of 3DES?
Thanks for any idea.
Cheers
Christian
More information about the Users
mailing list