[Openswan Users] IPSEC tunnelling between OPENSWAN and router CISCO 1900: STATE_QUICK_I1 problem

Vincent Tamet vincent.tamet at ilimit.net
Thu Feb 10 09:07:57 EST 2011 

Hi,
I use the -96 to connect to cisco 870 series, and works fine.
esp=3des-md5-96

Best regards.

Vince
OSG[PCQ]

----- Mail original -----
De: "Maurice SELLIN" <maurice.sellin at dcnsgroup.com>
À: users at openswan.org
Envoyé: Jeudi 10 Février 2011 14:44:30
Objet: [Openswan Users] IPSEC tunnelling between OPENSWAN and router CISCO 1900: STATE_QUICK_I1 problem



Hello, 

I want to realize a IPSEC tunnel between a linux station and a cisco router 1900. 
But I have problems to connect the linux openswan system to the cisco router 1900 because the STATE_QUICK_I1 step is not ok. 

my network configuration 
===================== 
10.0.0.1 <--> 100.180.26.105 <==========> 100.180.26.106 <--> 11.0.0.1 
the linux station has 2 interfaces: 10.0.0.1 and 100.189.26.105 
the cisco router has 2 interfaces: 100.189.26.106 and 11.0.0.1 

the message error after a connection attempt: 
====================================== 
root at sellin-HP-Compaq-dc7100-SFF-DX878AV:~# ipsec auto --verbose --up jsat 
002 "jsat" #1: initiating Main Mode 
104 "jsat" #1: STATE_MAIN_I1: initiate 
003 "jsat" #1: received Vendor ID payload [RFC 3947] method set to=109 
002 "jsat" #1: enabling possible NAT-traversal with method 4 
002 "jsat" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 
106 "jsat" #1: STATE_MAIN_I2: sent MI2, expecting MR2 
003 "jsat" #1: received Vendor ID payload [Cisco-Unity] 
003 "jsat" #1: received Vendor ID payload [Dead Peer Detection] 
003 "jsat" #1: ignoring unknown Vendor ID payload [4d84a39fa030c5a5cc6e37f178f28f74] 
003 "jsat" #1: received Vendor ID payload [XAUTH] 
003 "jsat" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected 
002 "jsat" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 
108 "jsat" #1: STATE_MAIN_I3: sent MI3, expecting MR3 
002 "jsat" #1: Main mode peer ID is ID_IPV4_ADDR: '100.180.26.106' 
002 "jsat" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 
004 "jsat" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} 
002 "jsat" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:483a3931 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024} 
117 "jsat" #2: STATE_QUICK_I1: initiate 
010 "jsat" #2: STATE_QUICK_I1: retransmission; will wait 20s for response 
010 "jsat" #2: STATE_QUICK_I1: retransmission; will wait 40s for response 
031 "jsat" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal 
000 "jsat" #2: starting keying attempt 2 of an unlimited number, but releasing whack 
root at sellin-HP-Compaq-dc7100-SFF-DX878AV:~# 

the /etc/ipsec.conf file 
================== 
# This file: /usr/share/doc/openswan/ipsec.conf-sample 
# 
# Manual: ipsec.conf.5 
version 2.0 # conforms to second version of ipsec.conf specification 
# basic configuration 
config setup 
nat_traversal=yes 
oe=off 
protostack=netkey 
nhelpers=0 

# Add connections here 
# sample VPN connection 
# for more examples, see /etc/ipsec.d/examples/ 
conn jsat 
left=100.180.26.105 
leftsubnet=10.0.0.0/24 
leftnexthop=100.180.26.106 
leftsourceip=10.0.0.1 

right=100.180.26.106 
rightsubnet=11.0.0.0/24 
rightsourceip=11.0.0.1 
rightnexthop=100.180.26.105 
auto=add 
ike=3des-md5 
phase2alg=3des-md5 
authby=secret 

/etc/ipsec.secrets file 
================== 
100.180.26.105 100.180.26.106: PSK "123456789" 

on cisco the show running config 
================================ 
Router#show running-config 
Building configuration... 
Current configuration : 1258 bytes 
! 
! Last configuration change at 12:48:49 UTC Thu Feb 10 2011 
! 
version 15.0 
service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 
hostname Router 
! 
boot-start-marker 
boot-end-marker 
! 
! 
no aaa new-model 
! 
! 
! 
! 
no ipv6 cef 
ip source-route 
ip cef 
! 
! 
! 
! 
! 
multilink bundle-name authenticated 
! 
! 
! 
license udi pid CISCO1941/K9 sn FHK1447783T 
! 
! 
! 
redundancy 
! 
! 
! 
! 
crypto isakmp policy 1 
encr 3des 
hash md5 
authentication pre-share 
group 2 
crypto isakmp key 123456789 address 100.180.26.105 
! 
! 
crypto ipsec transform-set openswan esp-3des esp-md5-hmac 
! 
crypto map openswan 10 ipsec-isakmp 
set peer 100.180.26.105 
set transform-set openswan 
match address 100 
! 
! 
! 
! 
! 
interface GigabitEthernet0/0 
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$ 
ip address 11.0.0.1 255.255.255.0 
duplex auto 
speed auto 
! 
! 
interface GigabitEthernet0/1 
ip address 100.180.26.106 255.255.255.0 
duplex auto 
speed auto 
crypto map openswan 
! 
! 
ip forward-protocol nd 
! 
no ip http server 
no ip http secure-server 
! 
! 
access-list 100 permit ip 10.0.0.0 0.0.0.255 11.0.0.0 0.0.0.255 
! 
! 
! 
! 
! 
! 
control-plane 
! 
! 
! 
line con 0 
line aux 0 
line vty 0 4 
login 
! 
scheduler allocate 20000 1000 
end 

on cisco the result of show crypto isakmp sa detail 
=========================================== 
Router#show crypto isakmp sa detail 
Codes: C - IKE configuration mode, D - Dead Peer Detection 
K - Keepalives, N - NAT-traversal 
T - cTCP encapsulation, X - IKE Extended Authentication 
psk - Preshared key, rsig - RSA signature 
renc - RSA encryption 
IPv4 Crypto ISAKMP SA 
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. 
1004 100.180.26.106 100.180.26.105 ACTIVE 3des md5 psk 2 00:19:39 
Engine-id:Conn-id = SW:4 
IPv6 Crypto ISAKMP SA 

on cisco the result of show crypto ipsec sa 
==================================== 
Router#show crypto ipsec sa 
interface: GigabitEthernet0/1 
Crypto map tag: openswan, local addr 100.180.26.106 
protected vrf: (none) 
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0) 
remote ident (addr/mask/prot/port): (11.0.0.0/255.255.255.0/0/0) 
current_peer 100.180.26.105 port 500 
PERMIT, flags={origin_is_acl,} 
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 
#pkts compressed: 0, #pkts decompressed: 0 
#pkts not compressed: 0, #pkts compr. failed: 0 
#pkts not decompressed: 0, #pkts decompress failed: 0 
#send errors 0, #recv errors 0 
local crypto endpt.: 100.180.26.106, remote crypto endpt.: 100.180.26.105 
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 
current outbound spi: 0x0(0) 
PFS (Y/N): N, DH group: none 
inbound esp sas: 
inbound ah sas: 
inbound pcp sas: 
outbound esp sas: 
outbound ah sas: 
outbound pcp sas: 

the software and os versions 
======================== 
-linux: xubuntu 10.10 
# uname --a 
Linux sellin-HP-Compaq-dc7100-SFF-DX878AV 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux 
-openswan: 2.6.26+dfsg-1 
-Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M4, RELEASE SOFTWARE (fc1) 

Can you help me please. 
regards, 

Maurice Sellin 
DCNS Ingenierie Navires Armes 
(33) 02 97 12 23 31 

Pensez à l'environnement : avez-vous besoin d'imprimer ce message ? 


Think environment : Do you need to print message ? 


. 


Ce courrier électronique, et éventuellement ses pièces jointes, peuvent contenir des informations confidentielles et/ou  personnelles et a été envoyé uniquement à l'usage de la personne ou de l'entité  citée ci-dessus. Si vous receviez ce courrier électronique par erreur, merci de bien vouloir en avertir l'expéditeur immédiatement par la réponse en retour à ce courrier  et effacer l'original et détruire toute copie enregistrée dans un ordinateur, ou imprimée ou encore sauvegardée sur un disque . Toute  revue, retransmission ou toute autre forme d'utilisation de ce courrier électronique par toute autre personne que le destinataire prévue est strictement interdite. 


L'internet ne permettant pas d'assurer l'intégrité de ce message, l'expéditeur décline toute responsabilité au cas où il aurait été intercepté ou modifié par quiconque. 


This e-mail and possibly any attachment may contain confidential and/or privileged information and is intended only for the use of the individual or entity named above.  If you have received it in error, please advise the sender immediately by reply e-mail and delete  and destroy all copies including all copies stored in the recipient's computer, printed or saved to disk. . Any review , retransmission, or further use of this e-mail by persons or entities other than the intended recipient is strictly  prohibited. 


Because of the nature of the Internet the sender is not in a position to ensure the integrity of this message, therefore the sender disclaims any liability whatsoever, in the event of this message having been intercepted and/or altered. 
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list