[Openswan Users] tunnel problem

Ales Klok orrie at seznam.cz
Wed Jun 27 13:06:15 EDT 2007


Peter McGill wrote:
>> -----Original Message-----
>> Date: Tue, 26 Jun 2007 19:12:16 +0000
>> From: "Djiby SY" <sydjiby at gmail.com>
>> Subject: [Openswan Users] tunnel problem
>> To: users at openswan.org
>>
>> Hello All,
>>
>> I have problem with making up my tunnel.
>> My config is Linux Openswan U2.4.4/K2.6.12-1.1372_FC3 
>> (netkey). The other
>> side uses CISCO.
>>
>> Here is the log.
>>
>> 104 "" #9: STATE_MAIN_I1: initiate
>> 003 "" #9: ignoring unknown Vendor ID payload
>> [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
>> 106 "" #9: STATE_MAIN_I2: sent MI2, expecting MR2
>> 003 "" #9: received Vendor ID payload [Cisco-Unity]
>> 003 "" #9: received Vendor ID payload [XAUTH]
>> 003 "" #9: ignoring unknown Vendor ID payload
>> [b1b9e7ec1671a8fb6186bf64f084352e]
>> 003 "" #9: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>> 108 "" #9: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "" #9: received Vendor ID payload [Dead Peer Detection]
>> 004 "" #9: STATE_MAIN_I4: ISAKMP SA established 
>> {auth=OAKLEY_PRESHARED_KEY
>> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>> 117 "" #10: STATE_QUICK_I1: initiate
>> 010 "" #10: STATE_QUICK_I1: retransmission; will wait 20s for response
>> 010 "" #10: STATE_QUICK_I1: retransmission; will wait 40s for response
>> 031 "" #10: max number of retransmissions (2) reached 
>> STATE_QUICK_I1.  No
>> acceptable response to our first Quick Mode message: perhaps 
>> peer likes no
>> proposal
>> 000 "" #10: starting keying attempt 2 of an unlimited number, 
>> but releasing
>> whack
>>
>> What 's wrong?
>>
>> thanks
>> Djiby
>>     
>
> Do you permit esp traffic in your firewall rules?
>
> iptables -t filter -I INPUT -p 50 -j ACCEPT
> iptables -t filter -I OUTPUT -p 50 -j ACCEPT
>
> Peter
>   
Good point, but i believe both MAIN and QUICK mode is negotiated via IKE 
(udp 500). Looks like misconfiguration to me. Check subnet definition on 
both sides as well as cipher and hash used for tunnel data.
/ak


More information about the Users mailing list