[Openswan Users] error connecting to pix

scharles scharles at ventusnetworks.com
Tue Apr 15 19:04:49 EDT 2008 

Hi !
     The pix configuration that you have provided is incomplete - from the
logs on the linux box - it seems phaseI is established and phaseII is not
negotiated due to conflict / disagreement on encryption.Your access list for
interesting vpn traffic on the pix reads
"access-list COMPANY extended permit ip 10.64.98.0 255.255.255.0
192.168.40.0 255.255.255.0 "
 
 IMO - it should read
access-list COMPANY extended permit ip  192.168.40.0 255.255.255.0
10.64.98.0 255.255.255.0  
 
"show run crypto" on the pix would provide more details on the configuration
 
- Simon Charles - 
 
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Richard Witt
Sent: Tuesday, April 15, 2008 5:14 PM
To: users at openswan.org
Subject: [Openswan Users] error connecting to pix


I am having problems connecting openswan (Linux Openswan U2.4.7/K2.6.22) to
a pix (7.2(2)) 
I have been googling all day long and have not found anything to help me out
here.

Below is the session and the error from the openswan box:


Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
initiating Main Mode

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7de7f00d6c2d3c0000000]

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
STATE_MAIN_I2: sent MI2, expecting MR2

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
received Vendor ID payload [Cisco-Unity]

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
received Vendor ID payload [XAUTH]

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
ignoring unknown Vendor ID payload [0dd6ff8b11b02ade5b80c4f5c57944be]

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
ignoring Vendor ID payload [Cisco VPN 3000 Series]

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: I
did not send a certificate because I do not have one.

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
STATE_MAIN_I3: sent MI3, expecting MR3

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
received Vendor ID payload [Dead Peer Detection]

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762: Main
mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1763:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1762}

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
ignoring informational payload, type NO_PROPOSAL_CHOSEN

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
received and ignored informational message

Apr 15 12:38:42 dalhq-fwvpn02 pluto[2119]: "interactive_brokers" #1762:
received Delete SA payload: deleting ISAKMP State #1762




Now the error from the pix:


Apr 15 13:27:39 [IKEv1]: Group = 216.52.180.242, IP = 216.52.180.242, QM FSM
error (P2 struct &0x2a9a0e8, mess id 0x144e2c86)!

Apr 15 13:27:39 [IKEv1]: Group = 216.52.180.242, IP = 216.52.180.242,
Removing peer from correlator table failed, no match!


>From the errors given it seems that there is something wrong on one side or
the other. We have double checked these many times.
Was hoping someone else could shed some light on this. 

Below is the openswan config relative to this connection: 


conn someother_company

        leftid=xxx.xxx.180.242

        leftsubnet=10.64.98.0/24

        right=xxx.xxx.137.116

        rightsubnet=192.168.40.0/24

        authby=secret

        auto=start

        pfs=no

        ike=3des-md5-modp1024

        esp=3des-md5

        
And below is the relevant config from the pix


access-list COMPANY extended permit ip 10.64.98.0 255.255.255.0 192.168.40.0
255.255.255.0 



access-list INSIDE extended permit tcp host 192.168.40.29 eq 4000 host
10.64.98.12 gt 1023 

access-list INSIDE extended permit tcp host 192.168.40.27 eq 4000 host
10.64.98.12 gt 1023 

access-list INSIDE extended permit tcp host 192.168.40.29 eq 30229 host
10.64.98.12 gt 1023 

access-list INSIDE extended permit tcp host 192.168.40.27 eq 30229 host
10.64.98.12 gt 1023 



crypto ipsec transform-set PEN esp-3des esp-md5-hmac



crypto map prodvpn1 82 match address COMPANY

crypto map prodvpn1 82 set peer xxx.xxx.180.242 

crypto map prodvpn1 82 set transform-set PEN



tunnel-group xxx.xxx.180.242 type ipsec-l2l

tunnel-group xxx.xxx.180.242 ipsec-attributes

 pre-shared-key **********



crypto isakmp policy 25

 authentication pre-share

 encryption 3des

 hash md5

 group 2

 lifetime 3600





Can anyone help me with this at all? 

STATEMENT OF CONFIDENTIALITY: This message and any attachments are intended
solely for the person or entity to which it is addressed and may contain
confidential or privileged information. If the recipient of this message is
not the addressee or a person responsible for delivering the message to the
addressee, such recipient is prohibited from reading or using this message
in any way. If you have received this message in error, please call the
sender of this message immediately and delete the message from any computer.


****************************************************************************

This message contains confidential and proprietary information of the
sender, 
and is intended only for the person(s) to whom it is addressed. Any use, 
distribution, copying or disclosure by any other person is strictly
prohibited. 
If you have received this message in error, please notify the e-mail sender 
immediately, and delete the original message without making a copy. 
****************************************************************************



********************************************************************************
This message contains confidential and proprietary information of the sender, and is intended only for the person(s) to whom it is addressed. Any use, distribution, copying or disclosure by any other person is strictly prohibited.  If you have received this message in error, please notify the e-mail sender immediately, and delete the original message without making a copy. 
********************************************************************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080415/69e29860/attachment-0001.html

More information about the Users mailing list