[Openswan Users] Openswan with netasq ipsec config - problems with phase2.

Grzegorz Sterniczuk grzegorz.sterniczuk at scanx.pl
Sun Feb 26 07:53:36 EST 2012


Hi,

i have to config tunnel with netasq but i have problems with phase2

Netasq config on screenshots:
http://img109.imageshack.us/img109/8695/45751804.png
http://img69.imageshack.us/img69/8106/44005501.png
http://img207.imageshack.us/img207/5197/34142370.png
http://img213.imageshack.us/img213/6684/68168842.png
http://img850.imageshack.us/img850/9621/97913156.png
http://img221.imageshack.us/img221/3367/65603381.png
http://img841.imageshack.us/img841/3134/71027302.png

on Centos 6.2 with openswan-2.6.32-10.el6_2.i686 i have:
conn netasq
	left=213.17.x.x
	leftsubnet=172.28.x.0/24
	leftnexthop=213.17.x.x
	leftsourceip=172.28.x.254
	right=81.210.x.x
	rightsubnet=10.1.x.0/24
	rightsourceip=10.1.x.1
	auto=start
	authby=secret
	pfs=no
	phase2=esp
	phase2alg=aes128-sha1;modp1024
	ikev2=no
	dpddelay=30
	dpdtimeout=120
	dpdaction=restart
	keyexchange=ike
	lifetime=3600s

Trying up:
# ipsec auto --up netasq
104 "netasq" #35: STATE_MAIN_I1: initiate
003 "netasq" #35: ignoring unknown Vendor ID payload [6ce58ec81f2c49da4aeda2cf4f73ffb4]
003 "netasq" #35: received Vendor ID payload [Dead Peer Detection]
106 "netasq" #35: STATE_MAIN_I2: sent MI2, expecting MR2
108 "netasq" #35: STATE_MAIN_I3: sent MI3, expecting MR3
004 "netasq" #35: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "netasq" #36: STATE_QUICK_I1: initiate
010 "netasq" #36: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "netasq" #36: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "netasq" #36: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "netasq" #36: starting keying attempt 2 of an unlimited number, but releasing whack

In secure log i get:

Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: initiating Main Mode
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: ignoring unknown Vendor ID payload [6ce58ec81f2c49da4aeda2cf4f73ffb4]
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: received Vendor ID payload [Dead Peer Detection]
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: STATE_MAIN_I2: sent MI2, expecting MR2
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: Main mode peer ID is ID_IPV4_ADDR: '81.210.x.x'
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: Dead Peer Detection (RFC 3706): enabled
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #36: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+SAREFTRACK {using isakmp#35 msgid:bbffbb5d proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:38:55 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:39:05 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:39:05 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:39:25 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:39:25 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:40:05 bb-r pluto[18153]: "netasq" #36: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb 26 13:40:05 bb-r pluto[18153]: "netasq" #36: starting keying attempt 2 of an unlimited number, but releasing whack
Feb 26 13:40:05 bb-r pluto[18153]: "netasq" #37: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+SAREFTRACK to replace #36 {using isakmp#35 msgid:35d5350b proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Feb 26 13:40:05 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:40:05 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:40:15 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:40:15 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:40:35 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:40:35 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:41:15 bb-r pluto[18153]: "netasq" #37: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
Feb 26 13:41:15 bb-r pluto[18153]: "netasq" #37: starting keying attempt 3 of an unlimited number
Feb 26 13:41:15 bb-r pluto[18153]: "netasq" #39: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+SAREFTRACK to replace #37 {using isakmp#35 msgid:fb29733f proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Feb 26 13:41:15 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:41:15 bb-r pluto[18153]: "netasq" #35: received and ignored informational message
Feb 26 13:41:25 bb-r pluto[18153]: "netasq" #35: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Feb 26 13:41:25 bb-r pluto[18153]: "netasq" #35: received and ignored informational message

Openswan is working in that location with many others vendors (like
cisco, other openswan, racoon etc.) with success and without any
problems.

Tcpdump shows:
13:47:57.222842 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 1 I ident
13:47:57.239348 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 1 R ident
13:47:57.241056 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 1 I ident
13:47:57.292566 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 1 R ident
13:47:57.294760 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 1 I ident[E]
13:47:57.339289 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 1 R ident[E]
13:47:57.339909 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 2/others I oakley-quick[E]
13:47:57.364274 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 2/others R inf[E]
13:48:07.400262 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 2/others I oakley-quick[E]
13:48:07.425180 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 2/others R inf[E]
13:48:27.339883 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 2/others I oakley-quick[E]
13:48:27.340208 IP 213.17.x.x.isakmp > 81.210.x.x.isakmp: isakmp: phase 2/others I inf[E]
13:48:27.364076 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 2/others R inf[E]
13:48:27.378069 IP 81.210.x.x.isakmp > 213.17.x.x.isakmp: isakmp: phase 2/others R inf[E]

Can somebody help me?

Best regards.

-- 
Grzegorz Sterniczuk



More information about the Users mailing list