[Openswan Users] need help to solve problem about connectrion stuck at STATE_QUICK_I1

顏宏愷 yhkai at cht.com.tw
Sun Sep 6 23:32:54 EDT 2009 

Dear all,
This is first time for me to study openswan. . I read a lot of articles about openswan from web
 I followed the instructions from openswan’s web and trying to setup net–to-net connection.
Both gatway (left and right) are installed with centOS5.2(kernel 2.6.18) and openswan(ver 2.6.22)
Here is my ipsec.conf:
conn net-t-net
        left=10.144.134.202
        leftsubnet=192.168.10.0/24
        leftid=@left
        leftnexthop=%defaultroute
        right=10.144.134.203
        rightsubnet=192.168.13.0/24
        rightid=@right
        rightnexthop=%defaultroute
            leftrsasigkey=0sAQOPwB4FS1fpxN19ktKE1GwE6F……
rightrsasigkey=0sAQOo/15JmRsIIegwieNH47KR0sqdkei/c………..
auto=add
But, when I setup connection by ipsec auto command , it show” STATE_QUICK_I1: retransmission; will wait 20s for response..’
By checking ipsec tarf, it seems be stuck at  : STATE_QUICK_I1 stage.
I don’t know what is wrong with my setup. Perhaps something is wrong with my configure of  firewall or route.
Pls help to solve the problem.
Thanks a lot

Jimmy yen

Below is the collection of status about my problem, hope it is helpful for all you to trace the problem.
[root at centos /]# ipsec auto --up net-t-net
117 "net-t-net" #3: STATE_QUICK_I1: initiate
010 "net-t-net" #3: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "net-t-net" #3: STATE_QUICK_I1: retransmission; will wait 40s for response
…
Part of Ipsec barf :::
Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #203: starting keying attempt 42 of an unlimited number
Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #208: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW to replace #203 {using isakmp#4 msgid:13251cd5 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Sep  4 17:36:41 centosi pluto[20394]: "net-t-net" #202: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #202: starting keying attempt 42 of an unlimited number
Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #209: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW to replace #202 {using isakmp#4 msgid:c5ea1125 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Sep  4 17:36:48 centos pluto[20394]: "net-t-net" #1: the peer proposed: 192.168.10.0/24:0/0 -> 192.168.13.0/24:0/0
Sep  4 17:36:48 centos pluto[20394]: "net-t-net" #210: responding to Quick Mode proposal {msgid:6a5874c6}
Sep  4 17:36:48 centos pluto[20394]: "net-t-net" #210:     us: 192.168.10.0/24===10.144.134.202<10.144.134.202>[@left,+S=C]
Sep  4 17:36:48 cento pluto[20394]: "net-t-net" #210:   them: 10.144.134.203<10.144.134.203>[@right,+S=C]===192.168.13.0/24
Sep  4 17:36:48 cento pluto[20394]: "net-t-net" #210: ERROR: netlink response for Add SA comp.238e at 10.144.134.203 included errno 22: Invalid argument
Sep  4 17:36:48 centos pluto[20394]: | add_sa ipcomp failed
Sep  4 17:36:48 centos pluto[20394]: | failed to install outgoing SA: 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090907/2a1aacd9/attachment.html

More information about the Users mailing list