[Openswan Users] need help to solve problem about connectrion stuck at STATE_QUICK_I1
顏宏愷
yhkai at cht.com.tw
Wed Sep 16 23:21:27 EDT 2009
Hi,
I tried again compress=no with openswan 2.6.22., now it can work on net-to-net connection.
My question is how can I do for my linux kernel to get compress=yes work?
Or ,there is a bug of opswan 2.6.22 with compress=yes.
So, if I want using compress=yes, I must install openswan 2.6.23 ?
Please help to answer the question.
Thanks very much
Jummy yen
-----Original Message-----
From: 顏宏愷
Sent: Friday, September 11, 2009 4:55 PM
To: 'No body ist Perfect'
Subject: RE: [Openswan Users] Pls help to solve problem about connectrion stuck at STATE_QUICK_I1
Thanks for your help.
I have tried compress=no but not working as before.
Could you give me a simple and successful example for config net-to-net connection using authby=rsasig.
Thanks very much
Jimmy yen
-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of No body ist Perfect
Sent: Friday, September 11, 2009 5:21 AM
To: users at lists.openswan.org
Subject: Re: [Openswan Users] Pls help to solve problem about connectrion stuck at STATE_QUICK_I1
try compress=no
or install openswan 2.6.23
calvinyen2 schrieb:
> Dear all,
>
> This is first time for me to study openswan. . I read a lot of articles
> about openswan from web
>
> I followed the instructions from openswan’s web and trying to setup
> net–to-net connection.
>
> Both gatway (left and right) are installed with centOS5.2(kernel 2.6.18)
> and openswan(ver 2.6.22)
>
> Here is my ipsec.conf:
>
> conn net-t-net
>
> left=10.144.134.202
>
> leftsubnet=192.168.10.0/24
>
> leftid=@left
>
> leftnexthop=%defaultroute
>
> right=10.144.134.203
>
> rightsubnet=192.168.13.0/24
>
> rightid=@right
>
> rightnexthop=%defaultroute
>
> leftrsasigkey=0sAQOPwB4FS1fpxN19ktKE1GwE6F……
>
> rightrsasigkey=0sAQOo/15JmRsIIegwieNH47KR0sqdkei/c………..
>
> auto=add
>
> But, when I setup connection by ipsec auto command , it show”
> STATE_QUICK_I1: retransmission; will wait 20s for response..’
>
> By checking ipsec tarf, it seems be stuck at : STATE_QUICK_I1 stage.
>
> I don’t know what is wrong with my setup. Perhaps something is wrong
> with my configure of firewall or route.
>
> Pls help to solve the problem.
>
> Thanks a lot
>
>
>
> Jimmy yen
>
>
>
> Below is the collection of status about my problem, hope it is helpful
> for all you to trace the problem.
>
> [root at centos /]# ipsec auto --up net-t-net
>
> 117 "net-t-net" #3: STATE_QUICK_I1: initiate
>
> 010 "net-t-net" #3: STATE_QUICK_I1: retransmission; will wait 20s for
> response
>
> 010 "net-t-net" #3: STATE_QUICK_I1: retransmission; will wait 40s for
> response
>
> …
>
> Part of Ipsec barf :::
>
> Sep 4 17:36:41 centos pluto[20394]: "net-t-net" #203: starting keying
> attempt 42 of an unlimited number
>
> Sep 4 17:36:41 centos pluto[20394]: "net-t-net" #208: initiating Quick
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW to replace #203
> {using isakmp#4 msgid:13251cd5 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
>
> Sep 4 17:36:41 centosi pluto[20394]: "net-t-net" #202: max number of
> retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
> our first Quick Mode message: perhaps peer likes no proposal
>
> Sep 4 17:36:41 centos pluto[20394]: "net-t-net" #202: starting keying
> attempt 42 of an unlimited number
>
> Sep 4 17:36:41 centos pluto[20394]: "net-t-net" #209: initiating Quick
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW to replace #202
> {using isakmp#4 msgid:c5ea1125 proposal=defaults
> pfsgroup=OAKLEY_GROUP_MODP2048}
>
> Sep 4 17:36:48 centos pluto[20394]: "net-t-net" #1: the peer proposed:
> 192.168.10.0/24:0/0 -> 192.168.13.0/24:0/0
>
> Sep 4 17:36:48 centos pluto[20394]: "net-t-net" #210: responding to
> Quick Mode proposal {msgid:6a5874c6}
>
> Sep 4 17:36:48 centos pluto[20394]: "net-t-net" #210: us:
> 192.168.10.0/24===10.144.134.202<10.144.134.202>[@left,+S=C]
>
> Sep 4 17:36:48 cento pluto[20394]: "net-t-net" #210: them:
> 10.144.134.203<10.144.134.203>[@right,+S=C]===192.168.13.0/24
>
> Sep 4 17:36:48 cento pluto[20394]: "net-t-net" #210: ERROR: netlink
> response for Add SA comp.238e at 10.144.134.203 included errno 22: Invalid
> argument
>
> Sep 4 17:36:48 centos pluto[20394]: | add_sa ipcomp failed
>
> Sep 4 17:36:48 centos pluto[20394]: | failed to install outgoing SA: 0
>
>
>
>
>
> ==========================================================
> 免費送情境式英文互動光碟
> http://web.pccenter.com.tw/new_activity/english_365_2/index.asp?selectENT=2&AD_website=W00005&AD_location=234&selectPRO=3
> <http://mail.pchome.com.tw/edm/click.htm?ad_code=435>
> ==========================================================
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list