[Openswan Users] Cisco VPN 3000 <--> OpenSwan - no Quick Mode establishment

Ben Martel benm at ingenitech.co.nz
Mon Jul 20 05:30:11 EDT 2009


Y'all,

I have been trying to get a tunneled network-2-network connection up
between OpenSwan and a Cisco 3000 VPN concentrator for four days and
just can't seem to get a successful Phase 2 (Quick mode) happening.

Any ideas?

Thanks in advance

   ~benm

---- /etc/ipsec.conf ------
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from
below:
        # "raw crypt parsing emitting control klips pfkey natt x509
private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a
developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes
# Add connections here

conn nzta
     type        = tunnel
     authby      = secret
     left        = 203.xx.xx.251   <--- obfuscated
     leftnexthop = %defaultroute
     leftsubnet  = 203.xx.xx.240/28 <-- obfuscated     
     right       = 202.xx.xx.4      <-- obfuscated     
     rightsubnet = 202.xx.xx.128/25 <-- obfuscated
     esp         = aes-sha1
     auto        = add
     pfs         = no
     keyexchange = ike
     ikelifetime = 24h


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

----- /var/log/auth.log ----------------
Jul 20 21:20:48 arnie pluto[14687]: Starting Pluto (Openswan Version
2.4.12 LDAP_V3 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID
 OE`lPH|Vbpuu)
Jul 20 21:20:48 arnie pluto[14687]: Setting NAT-Traversal port-4500
floating to off
Jul 20 21:20:48 arnie pluto[14687]:    port floating activation criteria
nat_t=0/port_fload=1
Jul 20 21:20:48 arnie pluto[14687]:   including NAT-Traversal patch
(Version 0.6c) [disabled]
Jul 20 21:20:48 arnie pluto[14687]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Jul 20 21:20:48 arnie pluto[14687]: no helpers will be started, all
cryptographic operations will be done inline
Jul 20 21:20:48 arnie pluto[14687]: Using NETKEY IPsec interface code on
2.6.22-14-server
Jul 20 21:20:48 arnie pluto[14687]: Changing to directory
'/etc/ipsec.d/cacerts'
Jul 20 21:20:48 arnie pluto[14687]: Changing to directory
'/etc/ipsec.d/aacerts'
Jul 20 21:20:48 arnie pluto[14687]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jul 20 21:20:48 arnie pluto[14687]: Changing to directory
'/etc/ipsec.d/crls'
Jul 20 21:20:48 arnie pluto[14687]:   Warning: empty directory
Jul 20 21:20:48 arnie pluto[14687]: added connection description "nzta"
Jul 20 21:20:48 arnie pluto[14687]: listening for IKE messages
Jul 20 21:20:48 arnie pluto[14687]: adding interface eth1/eth1
10.101.0.3:500
Jul 20 21:20:48 arnie pluto[14687]: adding interface eth0/eth0
203.xx.xx.251:500
Jul 20 21:20:48 arnie pluto[14687]: adding interface lo/lo 127.0.0.1:500
Jul 20 21:20:48 arnie pluto[14687]: adding interface lo/lo ::1:500
Jul 20 21:20:48 arnie pluto[14687]: loading secrets from
"/etc/ipsec.secrets"
Jul 20 21:20:48 arnie pluto[14687]:   loaded private key file
'/etc/ipsec.d/private/arnieKey.pem' (1675 bytes)
Jul 20 21:20:53 arnie sudo: ingenitech : TTY=pts/1 ;
PWD=/home/ingenitech ; USER=root ; COMMAND=/usr/sbin/ipsec auto --up
nzta
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: initiating Main Mode
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: received Vendor ID
payload [Cisco-Unity]
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: received Vendor ID
payload [XAUTH]
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: ignoring unknown Vendor
ID payload [17223d2d4528c2cafee172f2758afd05]
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: I did not send a
certificate because I do not have one.
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: received Vendor ID
payload [Dead Peer Detection]
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: Main mode peer ID is
ID_IPV4_ADDR: '202.xx.xx.4'
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cb
c_192 prf=oakley_md5 group=modp1024}
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Jul 20 21:20:53 arnie pluto[14687]: "nzta" #1: received Delete SA
payload: deleting ISAKMP State #1
Jul 20 21:20:53 arnie pluto[14687]: packet from 202.xx.xx.4:500:
received and ignored informational message

----- Output from 'ipsec auto --up nzta' --------

ingenitech at arnie:~$ sudo ipsec auto --up nzta           
104 "nzta" #1: STATE_MAIN_I1: initiate
003 "nzta" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "nzta" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "nzta" #1: received Vendor ID payload [Cisco-Unity]
003 "nzta" #1: received Vendor ID payload [XAUTH]
003 "nzta" #1: ignoring unknown Vendor ID payload
[17223d2d4528c2cafee172f2758afd05]
003 "nzta" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
108 "nzta" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "nzta" #1: received Vendor ID payload [Dead Peer Detection]
004 "nzta" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
117 "nzta" #2: STATE_QUICK_I1: initiate
010 "nzta" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "nzta" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "nzta" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer
likes no proposal
000 "nzta" #2: starting keying attempt 2 of an unlimited number, but
releasing whack

--- output from 'ipsec auto --up nzta' -------------
ingenitech at arnie:~$ sudo ipsec auto --up nzta           
104 "nzta" #1: STATE_MAIN_I1: initiate
003 "nzta" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "nzta" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "nzta" #1: received Vendor ID payload [Cisco-Unity]
003 "nzta" #1: received Vendor ID payload [XAUTH]
003 "nzta" #1: ignoring unknown Vendor ID payload
[17223d2d4528c2cafee172f2758afd05]
003 "nzta" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
108 "nzta" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "nzta" #1: received Vendor ID payload [Dead Peer Detection]
004 "nzta" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
117 "nzta" #2: STATE_QUICK_I1: initiate
010 "nzta" #2: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "nzta" #2: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "nzta" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer
likes no proposal
000 "nzta" #2: starting keying attempt 2 of an unlimited number, but
releasing whack
ingenitech at arnie:~$ sudo ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 203.xx.xx.251
000 interface eth1/eth1 10.101.0.3
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,5,64}
trans={0,5,960} attrs={0,5,320} 
000  
000 "nzta":
203.xx.xx.240/28===203.xx.xx.251---203.xx.xx.241...202.xx.x.4===202.xx.x
x.128/25; unrouted; eroute owner: #0
000 "nzta":     srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "nzta":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "nzta":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 28,25; interface:
eth0; encap: esp;
000 "nzta":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "nzta":   ESP algorithms wanted: AES(12)_000-SHA1(2); flags=strict
000 "nzta":   ESP algorithms loaded: AES(12)_000-SHA1(2); flags=strict
000  
000 #8: "nzta":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0)
000  


More information about the Users mailing list