[Openswan Users] esp string error: enc_alg not found

Paul Wouters paul at xelerance.com
Mon May 17 21:39:46 EDT 2010


On Mon, 17 May 2010, Steve Zeng wrote:

> Looks like it.
>
> When I run "ipsec barf" and I got:
>
> May 18 00:12:31 fw1 pluto[8441]: "ec2-tunnel-01" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

Thats from your older log entry, not the later one.

> from tcpdump, I got:
> 00:31:51.202107 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 ? ident[E]
> 00:32:31.555349 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 I ident
> 00:32:32.046162 IP 72.21.109.125.isakmp > 209.190.164.199.isakmp: isakmp: phase 1 R ident
> 00:32:32.154102 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 I ident
> 00:32:32.253277 IP 72.21.109.125.isakmp > 209.190.164.199.isakmp: isakmp: phase 1 R ident
> 00:32:32.365140 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 I ident[E]
> 00:32:32.471635 IP 72.21.209.225.isakmp > 209.190.164.199.isakmp: isakmp: phase 2/others R inf

That's all encrypted and we cannot see anything from it.

> It seems the amazon ask for something but openswan could not understand and so the handshake stopped. I don't see anywhere of ipsec.conf that I can put phase2 configurations. Do I need the tunnel interfaces to be configured manually on openswan side for this to work?

If this is with the amazon cloud, then there is NAT involved and you have to configure that,
and initiate from the cloud to your end, not the other way around.

Paul


More information about the Users mailing list