[Openswan Users] IPSec SA established in quick mode, but nothing flows over ipsec interface

Eduan Basson eduan at multenet.com
Wed Sep 10 03:25:08 EDT 2008 

Hi Paul

Paul Wouters wrote:
> Do you have any log entries on why it is not getting established? 
I only get some logs about ignoring the Commit Flag, and an unexpected 
message regarding ISAKMP_NEXT_HASH (which is also present in the logs 
from Jacco de Leeuw on his tutorial at 
http://www.jacco2.dds.nl/networking/linux-l2tp.html):

Sep 10 09:08:57 warn pluto[693]: "ipsec" #4: STATE_QUICK_I2: sent QI2, 
IPsec SA established {ESP=>0x6a10e904 <0xa308b7d2 xfrm=3DES_0-HMAC_SHA1 
NATD=none DPD=none}
Sep 10 09:08:57 warn pluto[693]: "ipsec" #4: IKE message has the Commit 
Flag set but Pluto doesn't implement this feature; ignoring flag
Sep 10 09:08:57 warn pluto[693]: "ipsec" #4: message ignored because it 
contains an unexpected payload type (ISAKMP_NEXT_HASH)
Sep 10 09:08:57 warn pluto[693]: "ipsec" #4: sending encrypted 
notification INVALID_PAYLOAD_TYPE to 196.211.225.229:500
> Or some info from the OAKLEY.LOG
> on the Windows end?
I enabled oakley.log, and got phase 1 accepted, and phase 2 accepted, 
and the HASH payload mentioned above, after which it stops dead with "CE 
Dead":

 9-10: 09:10:01:46:5b4 Phase 1 SA accepted: transform=3
...
 9-10: 09:10:01:671:5b4 Phase 2 SA accepted: proposal=0 transform=2
 9-10: 09:10:01:671:5b4 GetSpi: src = 41.240.82.110.1701, dst = 
196.211.225.229.1701, proto = 17, context = 00000000, srcMask = 
255.255.255.255, destMask = 255.255.255.255, TunnelFilter 0
 9-10: 09:10:01:671:5b4 Setting SPI  1779493124
 9-10: 09:10:01:671:5b4 constructing ISAKMP Header
 9-10: 09:10:01:671:5b4 constructing HASH (null)
 9-10: 09:10:01:671:5b4 constructing SA (IPSEC)
 9-10: 09:10:01:671:5b4 constructing NONCE (IPSEC)
 9-10: 09:10:01:671:5b4 constructing ID (proxy)
 9-10: 09:10:01:671:5b4 constructing ID (proxy)
 9-10: 09:10:01:671:5b4 constructing NOTIFY 24576
 9-10: 09:10:01:671:5b4 constructing HASH (QM)
 9-10: 09:10:01:671:5b4 
 9-10: 09:10:01:671:5b4 Sending: SA = 0x0127A060 to 41.240.82.110:Type 
2.500
 9-10: 09:10:01:671:5b4 ISAKMP Header: (V1.0), len = 196
 9-10: 09:10:01:671:5b4   I-COOKIE 170ca90168091bd3
 9-10: 09:10:01:671:5b4   R-COOKIE 741dd490c8367c4d
 9-10: 09:10:01:671:5b4   exchange: Oakley Quick Mode
 9-10: 09:10:01:671:5b4   flags: 3 ( encrypted commit )
 9-10: 09:10:01:671:5b4   next payload: HASH
 9-10: 09:10:01:671:5b4   message ID: b3e9a686
 9-10: 09:10:01:671:5b4 Ports S:f401 D:f401
 9-10: 09:10:02:0:5b4 
 9-10: 09:10:02:0:5b4 Receive: (get) SA = 0x0127a060 from 41.240.82.110.500
 9-10: 09:10:02:0:5b4 ISAKMP Header: (V1.0), len = 52
 9-10: 09:10:02:0:5b4   I-COOKIE 170ca90168091bd3
 9-10: 09:10:02:0:5b4   R-COOKIE 741dd490c8367c4d
 9-10: 09:10:02:0:5b4   exchange: Oakley Quick Mode
 9-10: 09:10:02:0:5b4   flags: 1 ( encrypted )
 9-10: 09:10:02:0:5b4   next payload: HASH
 9-10: 09:10:02:0:5b4   message ID: b3e9a686
 9-10: 09:10:02:0:5b4 processing HASH (QM)
 9-10: 09:10:02:0:5b4 ClearFragList
 9-10: 09:10:02:0:5b4 Adding QMs: src = 196.211.225.229.1701, dst = 
41.240.82.110.1701, proto = 17, context = 0000000A, my tunnel = 0.0.0.0, 
peer tunnel = 0.0.0.0, SrcMask = 0.0.0.0, DestMask = 0.0.0.0 Lifetime = 
3600 LifetimeKBytes 250000 dwFlags 0 Direction 1 EncapType 1
 9-10: 09:10:02:0:5b4  Algo[0] Operation: ESP Algo: Triple DES CBC HMAC: 
SHA
 9-10: 09:10:02:0:5b4  Algo[0] MySpi: 1779493124 PeerSpi: 2735257554
 9-10: 09:10:02:0:5b4 Encap Ports Src 500 Dst 500
 9-10: 09:10:02:0:5b4 isadb_set_status sa:0127A060 centry:00128DF0 status 0
 9-10: 09:10:02:0:5b4 Constructing Commit Notify
 9-10: 09:10:02:0:5b4 constructing ISAKMP Header
 9-10: 09:10:02:0:5b4 constructing HASH (null)
 9-10: 09:10:02:0:5b4 constructing NOTIFY 16384
 9-10: 09:10:02:0:5b4 constructing HASH (QM)
 9-10: 09:10:02:0:5b4 
 9-10: 09:10:02:0:5b4 Sending: SA = 0x0127A060 to 41.240.82.110:Type 4.500
 9-10: 09:10:02:0:5b4 ISAKMP Header: (V1.0), len = 76
 9-10: 09:10:02:0:5b4   I-COOKIE 170ca90168091bd3
 9-10: 09:10:02:0:5b4   R-COOKIE 741dd490c8367c4d
 9-10: 09:10:02:0:5b4   exchange: Oakley Quick Mode
 9-10: 09:10:02:0:5b4   flags: 3 ( encrypted commit )
 9-10: 09:10:02:0:5b4   next payload: HASH
 9-10: 09:10:02:0:5b4   message ID: b3e9a686
 9-10: 09:10:02:0:5b4 Ports S:f401 D:f401
 9-10: 09:10:02:93:5b4 
 9-10: 09:10:02:93:5b4 Receive: (get) SA = 0x0127a060 from 
41.240.82.110.500
 9-10: 09:10:02:93:5b4 ISAKMP Header: (V1.0), len = 68
 9-10: 09:10:02:93:5b4   I-COOKIE 170ca90168091bd3
 9-10: 09:10:02:93:5b4   R-COOKIE 741dd490c8367c4d
 9-10: 09:10:02:93:5b4   exchange: ISAKMP Informational Exchange
 9-10: 09:10:02:93:5b4   flags: 1 ( encrypted )
 9-10: 09:10:02:93:5b4   next payload: HASH
 9-10: 09:10:02:93:5b4   message ID: 0683f670
 9-10: 09:10:02:93:5b4 processing HASH (Notify/Delete)
 9-10: 09:10:02:93:5b4 processing payload NOTIFY
 9-10: 09:10:02:93:5b4 notify: INVALID-PAYLOAD
 9-10: 09:10:02:93:5b4 Unknown Notify Message 1
 9-10: 09:11:06:937:4f0 CE Dead. sa:0127A060 ce:00128DF0 status:35f0


Ed

More information about the Users mailing list