[Openswan Users] error connecting to pix

Prabhu Gurumurthy pgurumu at gmail.com
Tue Apr 15 18:47:18 EDT 2008 

Richard Witt wrote:
> I am having problems connecting openswan (Linux Openswan U2.4.7/K2.6.22) 
> to a pix (7.2(2))
> I have been googling all day long and have not found anything to help me 
> out here.
> 
> Below is the session and the error from the openswan box:
> 
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: initiating Main Mode
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: STATE_MAIN_I2: sent MI2, expecting MR2
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Vendor ID payload [Cisco-Unity]
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Vendor ID payload [XAUTH]
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring unknown Vendor ID payload [0dd6ff8b11b02ade5b80c4f5c57944be]
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: I did not send a certificate because I do not have one.
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: STATE_MAIN_I3: sent MI3, expecting MR3
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Vendor ID payload [Dead Peer Detection]
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1763: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1762}
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received and ignored informational message
> Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: received Delete SA payload: deleting ISAKMP State #1762
> 
> 
> 
> Now the error from the pix:
> 
> Apr 15 13:27:39 [IKEv1]: Group = 216.52.180.242, IP = 216.52.180.242, QM FSM error (P2 struct &0x2a9a0e8, mess id 0x144e2c86)!
> Apr 15 13:27:39 [IKEv1]: Group = 216.52.180.242, IP = 216.52.180.242, Removing peer from correlator table failed, no match!
> 
> 
> 
>  >From the errors given it seems that there is something wrong on one 
> side or the other. We have double checked these many times.
> Was hoping someone else could shed some light on this.
> 
> Below is the openswan config relative to this connection:
> 
> 
> conn someother_company
>         leftid=xxx.xxx.180.242
>         leftsubnet=10.64.98.0/24
>         right=xxx.xxx.137.116
>         rightsubnet=192.168.40.0/24
>         authby=secret
>         auto=start
>         pfs=no
>         ike=3des-md5-modp1024
>         esp=3des-md5
>         
> 
> And below is the relevant config from the pix
> 
> access-list COMPANY extended permit ip 10.64.98.0 255.255.255.0 192.168.40.0 255.255.255.0 
> 
> access-list INSIDE extended permit tcp host 192.168.40.29 eq 4000 host 10.64.98.12 gt 1023 
> access-list INSIDE extended permit tcp host 192.168.40.27 eq 4000 host 10.64.98.12 gt 1023 
> access-list INSIDE extended permit tcp host 192.168.40.29 eq 30229 host 10.64.98.12 gt 1023 
> access-list INSIDE extended permit tcp host 192.168.40.27 eq 30229 host 10.64.98.12 gt 1023 
> 
> crypto ipsec transform-set PEN esp-3des esp-md5-hmac
> 
> crypto map prodvpn1 82 match address COMPANY
> crypto map prodvpn1 82 set peer xxx.xxx.180.242 
> crypto map prodvpn1 82 set transform-set PEN
> 
> tunnel-group xxx.xxx.180.242 type ipsec-l2l
> tunnel-group xxx.xxx.180.242 ipsec-attributes
>  pre-shared-key **********
> 
> crypto isakmp policy 25
>  authentication pre-share
>  encryption 3des
>  hash md5
>  group 2
>  lifetime 3600
> 
> 
> 
> 
> Can anyone help me with this at all?
> 
> STATEMENT OF CONFIDENTIALITY: This message and any attachments are 
> intended solely for the person or entity to which it is addressed and 
> may contain confidential or privileged information. If the recipient of 
> this message is not the addressee or a person responsible for delivering 
> the message to the addressee, such recipient is prohibited from reading 
> or using this message in any way. If you have received this message in 
> error, please call the sender of this message immediately and delete the 
> message from any computer.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Seems like phase 2 is failing can you provide information from PIX by doing 
debug cry isa 7, debug cry ipsec 7?

Prabhu
-

More information about the Users mailing list