[Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Sam
nu.ecsa at gmail.com
Wed Feb 1 05:20:56 EST 2012
Hi,
I have successfully installed Openswan but there seem to an issue with the
connection to the Cisco VPN. From the logs am seeing something like "*No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal*".
Below is the full log and my config. I will really appreciate your help.
###################### CONFIG #############################
config setup
interfaces=%defaultroute
plutoopts="--perpeerlog"
protostack=netkey
conn VPNCon
type=tunnel
authby=secret
Ikelifetime=86400s
phase2=esp
Phase2alg=3des-md5;modp1536
lifetime=3600s
forceencaps=yes
pfs=no
keyexchange=ike
left=1.2.3.4
leftnexthop=%defaultroute
right=5.6.7.8
rightnexthop=%defaultroute
rekey=yes
remote_peer_type=cisco
auto=start
###################################################
###################### CONFIG #############################
Feb 1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...
Feb 1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version 2.6.37;
Vendor ID OEu\134d\134jy\134\134ap) pid:12241
Feb 1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]
Feb 1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]
Feb 1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not
available
Feb 1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not
available
Feb 1 10:55:16 box1 pluto[12241]: NSS support [disabled]
Feb 1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not
compiled in
Feb 1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500 floating
to on
Feb 1 10:55:16 box1 pluto[12241]: port floating activation criteria
nat_t=1/port_float=1
Feb 1 10:55:16 box1 pluto[12241]: NAT-Traversal support [enabled]
Feb 1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random
entropy
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
OAKLEY_AES_CBC: Ok (ret=0)
Feb 1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers
Feb 1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random
entropy
Feb 1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)
Feb 1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on
2.6.18-194.17.1.el5 (experimental code)
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_8: Ok (ret=0)
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_12: FAILED (ret=-17)
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_ccm_16: FAILED (ret=-17)
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_8: FAILED (ret=-17)
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_12: FAILED (ret=-17)
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already
exists
Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Feb 1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/cacerts'
Feb 1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/aacerts'
Feb 1 10:55:16 box1 pluto[12241]: Changed path to directory
'/etc/ipsec.d/ocspcerts'
Feb 1 10:55:16 box1 pluto[12241]: Changing to directory '/etc/ipsec.d/crls'
Feb 1 10:55:16 box1 pluto[12241]: Warning: empty directory
Feb 1 10:55:16 box1 pluto[12241]: added connection description "VPNCon"
Feb 1 10:55:17 box1 pluto[12241]: listening for IKE messages
Feb 1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:500
Feb 1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:4500
Feb 1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:500
Feb 1 10:55:17 box1 pluto[12241]: adding interface lo/lo 127.0.0.1:4500
Feb 1 10:55:17 box1 pluto[12241]: adding interface lo/lo ::1:500
Feb 1 10:55:17 box1 pluto[12241]: loading secrets from "/etc/ipsec.secrets"
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: initiating Main Mode
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: enabling possible
NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[Cisco-Unity]
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[Dead Peer Detection]
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: ignoring unknown Vendor ID
payload [3c1f79790ca4ddd867fa2623b80ac34b]
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload
[XAUTH]
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Feb 1 10:55:18 box1 pluto[12241]: | protocol/port in Phase 1 ID Payload is
17/0. accepted with port_floating NAT-T
Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: Main mode peer ID is
ID_IPV4_ADDR: '5.6.7.8'
Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:6ca6f49a
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message
Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #2: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #2: starting keying attempt 2
of an unlimited number
Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #3: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1
msgid:91d29c32 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message
Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #3: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #3: starting keying attempt 3
of an unlimited number
Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1
msgid:fd01f2eb proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #1: received and ignored
informational message
###################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120201/64f68afd/attachment-0003.html>
More information about the Users
mailing list