[Openswan Users] need help to solve problem about connectrion stuck at STATE_QUICK_I1

[Nobody ist perfect]

try with compress=no

顏宏愷 schrieb:
> Dear all,
> 
> This is first time for me to study openswan. . I read a lot of articles
> about openswan from web
> 
>  I followed the instructions from openswan’s web and trying to setup
> net–to-net connection.
> 
> Both gatway (left and right) are installed with centOS5.2(kernel 2.6.18)
> and openswan(ver 2.6.22)   
> 
> Here is my ipsec.conf:
> 
> conn net-t-net
> 
>         left=10.144.134.202
> 
>         leftsubnet=192.168.10.0/24
> 
>         leftid=@left
> 
>         leftnexthop=%defaultroute
> 
>         right=10.144.134.203
> 
>         rightsubnet=192.168.13.0/24
> 
>         rightid=@right
> 
>         rightnexthop=%defaultroute
> 
>             leftrsasigkey=0sAQOPwB4FS1fpxN19ktKE1GwE6F……
> 
> rightrsasigkey=0sAQOo/15JmRsIIegwieNH47KR0sqdkei/c………..
> 
> auto=add
> 
> But, when I setup connection by ipsec auto command , it show”
> STATE_QUICK_I1: retransmission; will wait 20s for response..’  
> 
> By checking ipsec tarf, it seems be stuck at  : STATE_QUICK_I1 stage.
> 
> I don’t know what is wrong with my setup. Perhaps something is wrong
> with my configure of  firewall or route.
> 
> Pls help to solve the problem.
> 
> Thanks a lot
> 
>  
> 
> Jimmy yen
> 
>  
> 
> Below is the collection of status about my problem, hope it is helpful
> for all you to trace the problem.  
> 
> [root at centos /]# ipsec auto --up net-t-net
> 
> 117 "net-t-net" #3: STATE_QUICK_I1: initiate
> 
> 010 "net-t-net" #3: STATE_QUICK_I1: retransmission; will wait 20s for
> response
> 
> 010 "net-t-net" #3: STATE_QUICK_I1: retransmission; will wait 40s for
> response
> 
> …
> 
> Part of Ipsec barf :::
> 
> Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #203: starting keying
> attempt 42 of an unlimited number
> 
> Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #208: initiating Quick
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW to replace #203
> {using isakmp#4 msgid:13251cd5 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
> 
> Sep  4 17:36:41 centosi pluto[20394]: "net-t-net" #202: max number of
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
> our first Quick Mode message: perhaps peer likes no proposal
> 
> Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #202: starting keying
> attempt 42 of an unlimited number
> 
> Sep  4 17:36:41 centos pluto[20394]: "net-t-net" #209: initiating Quick
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW to replace #202
> {using isakmp#4 msgid:c5ea1125 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
> 
> Sep  4 17:36:48 centos pluto[20394]: "net-t-net" #1: the peer proposed:
> 192.168.10.0/24:0/0 -> 192.168.13.0/24:0/0
> 
> Sep  4 17:36:48 centos pluto[20394]: "net-t-net" #210: responding to
> Quick Mode proposal {msgid:6a5874c6}
> 
> Sep  4 17:36:48 centos pluto[20394]: "net-t-net" #210:     us:
> 192.168.10.0/24===10.144.134.202<10.144.134.202>[@left,+S=C]
> 
> Sep  4 17:36:48 cento pluto[20394]: "net-t-net" #210:   them:
> 10.144.134.203<10.144.134.203>[@right,+S=C]===192.168.13.0/24
> 
> Sep  4 17:36:48 cento pluto[20394]: "net-t-net" #210: ERROR: netlink
> response for Add SA comp.238e at 10.144.134.203 included errno 22: Invalid
> argument
> 
> Sep  4 17:36:48 centos pluto[20394]: | add_sa ipcomp failed
> 
> Sep  4 17:36:48 centos pluto[20394]: | failed to install outgoing SA: 0
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155