[Openswan Users] no connection on _I2 state

Marcin Giedz marcin.giedz at arise.pl
Tue Feb 17 01:49:27 EST 2009 

Hi,

I'm still struggling with IPsec tunnel going from main gateway which 
has: 2 different ISP (BGP session) on eth0 and eth1 interfaces and 
advertised network defined on eth2 (internal interface for advertised 
network and LAN).

I thought that putting IP from advertised network to ipsec.conf file 
will fix it

conn conn-test
       ike=3des-sha1-modp1024
       phase2=esp
       phase2alg=3des-sha1;modp1024
       keyexchange=ike
       ikelifetime=24h
       salifetime=1h
       pfs=yes
       authby=secret
      left=advertised_ip
#        left=ISP1_real_IP
       right=a.b.c.d
       rightsourceip=d.e.f.g
       auto=add


but seems like connection can not be established. All I get is:
ser1:~# ipsec auto --up conn-test
104 "conn-test" #62: STATE_MAIN_I1: initiate
003 "conn-test" #62: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "conn-test" #62: STATE_MAIN_I2: sent MI2, expecting MR2            
010 "conn-test" #62: STATE_MAIN_I2: retransmission; will wait 20s for 
response
003 "conn-test" #62: ignoring informational payload, type INVALID_COOKIE 
msgid=00000000
003 "conn-test" #62: received and ignored informational message

on the other side guys receive:

Feb 16 2009 13:30:29: aaa: IP = advertised_ip, Header invalid, missing 
SA payload! (next payload = 4)

Feb 16 2009 13:30:29: aaa: IKE_DECODE SENDING Message (msgid=0) with 
payloads : HDR + NOTIFY (11) + NONE (0) total length : 68


...what does missing SA mean? This is strange compare to situation when 
"left" is ISP1_real_IP. In this case connection is established

ser1:~# ipsec auto --up conn-test
104 "conn-test" #1: STATE_MAIN_I1: initiate
003 "conn-test" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "conn-test" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "conn-test" #1: received Vendor ID payload [Cisco-Unity]
003 "conn-test" #1: received Vendor ID payload [XAUTH]

.....

What can be the problem? Can someone please advise what to do with this? 
Using advertised_ip is preferred method as in this case I don't care 
about BGP sessions - is one link goes down I still keep the same IP and 
after some period I'm automatically switched to ISP2, IPsec tunnel is 
re-established and connection is back again.
... or maybe I'm missing something important?


Please help,

Thanks,
Marcin

-

More information about the Users mailing list