[Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

Sam nu.ecsa at gmail.com
Wed Feb 1 05:20:56 EST 2012


Hi,

I have successfully installed Openswan but there seem to an issue with the
connection to the Cisco VPN. From the logs am seeing something like "*No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal*".

Below is the full log and my config. I will really appreciate your help.

###################### CONFIG #############################
config setup
        interfaces=%defaultroute
        plutoopts="--perpeerlog"
        protostack=netkey


conn VPNCon
        type=tunnel
        authby=secret
        Ikelifetime=86400s
        phase2=esp
        Phase2alg=3des-md5;modp1536
        lifetime=3600s
        forceencaps=yes
        pfs=no
        keyexchange=ike
        left=1.2.3.4
        leftnexthop=%defaultroute
        right=5.6.7.8
        rightnexthop=%defaultroute
        rekey=yes
        remote_peer_type=cisco
        auto=start
###################################################


###################### CONFIG #############################
Feb  1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...
Feb  1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version 2.6.37;
Vendor ID OEu\134d\134jy\134\134ap) pid:12241
Feb  1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]
Feb  1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]
Feb  1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not
available
Feb  1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not
available
Feb  1 10:55:16 box1 pluto[12241]: NSS support [disabled]
Feb  1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not
compiled in
Feb  1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500 floating
to on
Feb  1 10:55:16 box1 pluto[12241]:    port floating activation criteria
nat_t=1/port_float=1
Feb  1 10:55:16 box1 pluto[12241]:    NAT-Traversal support  [enabled]
Feb  1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random
entropy
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Feb  1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers
Feb  1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random
entropy
Feb  1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)
Feb  1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on
2.6.18-194.17.1.el5 (experimental code)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb  1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/cacerts'
Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/aacerts'
Feb  1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Feb  1 10:55:16 box1 pluto[12241]: Changing to directory '/etc/ipsec.d/crls'
Feb  1 10:55:16 box1 pluto[12241]:   Warning: empty directory
Feb  1 10:55:16 box1 pluto[12241]: added connection description "VPNCon"
Feb  1 10:55:17 box1 pluto[12241]: listening for IKE messages
Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:500
Feb  1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:4500
Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:500
Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:4500
Feb  1 10:55:17 box1 pluto[12241]: adding interface lo/lo ::1:500
Feb  1 10:55:17 box1 pluto[12241]: loading secrets from "/etc/ipsec.secrets"
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: initiating Main Mode
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[Cisco-Unity]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[Dead Peer Detection]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: ignoring unknown Vendor ID
payload [3c1f79790ca4ddd867fa2623b80ac34b]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[XAUTH]
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Feb  1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Feb  1 10:55:18 box1 pluto[12241]: | protocol/port in Phase 1 ID Payload is
17/0. accepted with port_floating NAT-T
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: Main mode peer ID is
ID_IPV4_ADDR: '5.6.7.8'
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:6ca6f49a
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb  1 10:55:18 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #2: starting keying attempt 2
of an unlimited number
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1
msgid:91d29c32 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb  1 10:56:28 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #3: starting keying attempt 3
of an unlimited number
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1
msgid:fd01f2eb proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb  1 10:57:38 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message

###################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120201/64f68afd/attachment-0003.html>


More information about the Users mailing list