[Openswan Users] Why won't the tunnel come up? (Was: Config file Question.)

Magnus Holmberg magnus.holmberg at pepto.se
Mon Feb 23 13:09:40 EST 2009


Shouldn't it fail already on Phase 1 if so?

I get

Feb 23 19:08:12 fw pluto[26842]: "VPN" #3: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha 
group=modp1024}
Feb 23 19:08:12 fw pluto[26842]: "VPN" #3: Dead Peer Detection (RFC 
3706): enabled
Feb 23 19:08:12 fw pluto[26842]: "VPN" #7: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}

Before that.

BR

Magnus

Paul Wouters wrote:
> On Mon, 23 Feb 2009, Magnus Holmberg wrote:
>
>> Just recieved an e-mail saying that they use 256 bit so I changed the 
>> config to:
>>
>> ike=aes256-sha1-modp1024
>> esp=aes256-sha1
>>
>> Now it seems to pass step 1 and in it stays with:
>>
>> Feb 23 17:05:41 fw pluto[19900]: "VPN" #17: initiating Quick Mode 
>> PSK+ENCRYPT+TUNNEL+UP to replace #16
>> {using isakmp#3}
>> Feb 23 17:06:51 fw pluto[19900]: "VPN" #17: max number of 
>> retransmissions (2) reached STATE_QUICK_I1.  No
>> acceptable response to our first Quick Mode message: perhaps peer 
>> likes no proposal
>> Feb 23 17:06:51 fw pluto[19900]: "VPN" #17: starting keying attempt 
>> 12 of an unlimited number
>> Feb 23 17:06:51 fw pluto[19900]: "VPN" #18: initiating Quick Mode 
>> PSK+ENCRYPT+TUNNEL+UP to replace #17
>> {using isakmp#3}
>>
>> What could be the problem here? Is there some more debug info I can 
>> turn on?
>
> Not much, since the other end is rejecting the connection and not 
> telling you why.
> Ask for the logs on the other end.
>
> Are you sure they want modp1024? 1536 or 2048 is more likely these days.
>
> Paul


More information about the Users mailing list