[Openswan Users] NO_PROPOSAL_CHOSEN error while connecting
Viacheslav Dushin
slava333 at gmail.com
Tue Apr 16 18:40:06 UTC 2013
tunnel is up. it was a misconfiguration error -- wrong subnet.
2013/4/16 Viacheslav Dushin <slava333 at gmail.com>
> I realized that the problem is somewhere here:
> >000 "telphin": IKE algorithms wanted:
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5),
> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
> >000 "telphin": IKE algorithms found:
> 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> >000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
> >000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
> flags=-strict
> >000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
>
> But I still don't understand how to strictly specify the algorithms it
> needs.
>
>
> 2013/4/16 Viacheslav Dushin <slava333 at gmail.com>
>
>> Hi, everybody.
>> First of all, thanks for the answers
>>
>> I also have some stupid questions: what does all these states mean? What
>> is the last state after establishing a connection?
>>
>> In some tutorials PKS is inside brackets, but on in the other ones it's
>> without them. Which one is correct? My PKS contains letters and numbers
>> only:
>>
>> my /etc/ipsec.secrets file
>>
>>
>> # this file is managed with debconf and will contain the automatically
>> created RSA keys
>> #include /var/lib/openswan/ipsec.secrets.inc
>>
>> 1.1.1.123 2.2.2.2: PSK XXXXXX
>>
>> /etc/ipsec.secrets file ends
>>
>> Also does anybody have succeeded in using openswan on XEN VPS and/or
>> Cisco-Unity? Maybe the problem is in XEN or Cisco-Unity.
>>
>> I'll keep digging.
>>
>> Thanks, Slava
>>
>> 2013/4/16 Simon Deziel <simon at xelerance.com>
>> > Hi Slava,
>> >
>> > On 13-04-15 10:59 AM, Viacheslav Dushin wrote:
>> > > Hi, I'm trying to create site-to-site connection
>> > >
>> > >
>> > > My provider sent me the following settings:
>> > >
>> > >>VPN server address – 2.2.2.2
>> > >>Client subnet 10.128.139.0/24 <http://10.128.139.0/24>
>> > >>Destiantion subnet - 10.128.0.0/24 <http://10.128.0.0/24>
>> > >>PSK: – XXXXXXXXX
>> > >>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1, UDP
>> encapsulation
>> >
>> > UDP encapsulation means you should enable nat_traversal and might also
>> > need to use "forceencaps=yes" for the connection. You might also need to
>> > disable PFS but this should be confirmed with the remote side.
>> >
>> > HTH,
>> > Simon
>>
>> What if I don't need nat traversal? I have no NAT on my server. Or is it
>> my provider, who is behind NAT?
>>
>>
>> 2013/4/15 Gertjan Baarda <gertjan.baarda at gmail.com>
>> > This message can appear for various reasons, most likely both sides
>> can't agree on the IKE params.
>> > Try:
>> > pfs=no
>> > ike=3des-sha1-modp1024
>> > esp=3des-sha1
>> > (notice the removed exclamation point)
>> >
>> > or else:
>> > pfs=no
>> > ike=3des-sha1
>> > esp=3des-sha1
>>
>> Still the same: with modp1024 or without it hangs on STATE_MAIN_I4
>>
>>
>> 2013/4/15 Leto <letoams at gmail.com>
>> > try modp1536 and/or pfs=no
>> >
>> > sent from a tiny device
>> In case of modp1536 or modp2048 it hangs on the first stage
>> (STATE_MAIN_I1)
>>
>>
>>
>> 2013/4/16 Simon Deziel <simon at xelerance.com>
>>
>>> Hi Slava,
>>>
>>> On 13-04-15 10:59 AM, Viacheslav Dushin wrote:
>>> > Hi, I'm trying to create site-to-site connection
>>> >
>>> >
>>> > My provider sent me the following settings:
>>> >
>>> >>VPN server address – 2.2.2.2
>>> >>Client subnet 10.128.139.0/24 <http://10.128.139.0/24>
>>> >>Destiantion subnet - 10.128.0.0/24 <http://10.128.0.0/24>
>>> >>PSK: – XXXXXXXXX
>>> >>VPN mode: – tunnel, PSK, 3DES encryption, hash: SHA1, UDP
>>> encapsulation
>>>
>>> UDP encapsulation means you should enable nat_traversal and might also
>>> need to use "forceencaps=yes" for the connection. You might also need to
>>> disable PFS but this should be confirmed with the remote side.
>>>
>>> HTH,
>>> Simon
>>>
>>> > I configured it accordingly, but it doesn't want to connect:
>>> >
>>> > It fails with "NO_PROPOSAL_CHOSEN"
>>> >
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from
>>> state
>>> > STATE_MAIN_I3 to state STATE_MAIN_I4
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4:
>>> ISAKMP
>>> > SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
>>> > prf=oakley_sha group=modp1024}
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick
>>> Mode
>>> > PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>>> > msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160
>>> > pfsgroup=OAKLEY_GROUP_MODP1024}
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring
>>> > informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored
>>> > informational message
>>> >
>>> >
>>> > Openswan version: Linux Openswan U2.6.38/K3.1.0-1.2-xen (netkey)
>>> >
>>> >
>>> > 1.1.1.123 is my local address
>>> > 1.1.1.1 is my default gateway
>>> > 2.2.2.2 is remote server address
>>> >
>>> >
>>> > Thanks, Slava
>>> >
>>> >
>>> > See all logs and configs below:
>>> >
>>> >
>>> > ipsec.conf start
>>> >
>>> >
>>> > # /etc/ipsec.conf - Openswan IPsec configuration file
>>> >
>>> > # This file: /usr/share/doc/openswan/ipsec.conf-sample
>>> > #
>>> > # Manual: ipsec.conf.5
>>> >
>>> >
>>> > version2.0# conforms to second version of ipsec.conf specification
>>> >
>>> > # basic configuration
>>> > config setup
>>> > #interfaces="%defaultroute"
>>> > # Do not set debug options to debug configuration issues!
>>> > # plutodebug / klipsdebug = "all", "none" or a combation from below:
>>> > # "raw crypt parsing emitting control klips pfkey natt x509 dpd
>>> private"
>>> > # eg:
>>> > # plutodebug="control parsing"
>>> > # Again: only enable plutodebug or klipsdebug when asked by a developer
>>> > #
>>> > # enable to get logs per-peer
>>> > # plutoopts="--perpeerlog"
>>> > #
>>> > # Enable core dumps (might require system changes, like ulimit -C)
>>> > # This is required for abrtd to work properly
>>> > # Note: incorrect SElinux policies might prevent pluto writing the core
>>> > dumpdir=/var/run/pluto/
>>> > #
>>> > # NAT-TRAVERSAL support, see README.NAT-Traversal
>>> > nat_traversal=no
>>> > # exclude networks used on server side by adding %v4:!a.b.c.0/24
>>> > # It seems that T-Mobile in the US and Rogers/Fido in Canada are
>>> > # using 25/8 as "private" address space on their 3G network.
>>> > # This range has not been announced via BGP (at least upto 2010-12-21)
>>> > virtual_private=%v4:
>>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>> > <
>>> http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
>>> >
>>> > # OE is now off by default. Uncomment and change to on, to enable.
>>> > oe=off
>>> > # which IPsec stack to use. auto will try netkey, then klips then mast
>>> > protostack=netkey
>>> > # Use this to log to a file, or disable logging on embedded systems
>>> > (like openwrt)
>>> > #plutostderrlog=/dev/null
>>> >
>>> >
>>> > # Add connections here
>>> >
>>> > # sample VPN connection
>>> > # for more examples, see /etc/ipsec.d/examples/
>>> > #conn sample
>>> > ## Left security gateway, subnet behind it, nexthop toward right.
>>> > #left=10.0.0.1
>>> > #leftsubnet=172.16.0.0/24 <http://172.16.0.0/24>
>>> > #leftnexthop=10.22.33.44
>>> > ## Right security gateway, subnet behind it, nexthop toward left.
>>> > #right=10.12.12.1
>>> > #rightsubnet=192.168.0.0/24 <http://192.168.0.0/24>
>>> > #rightnexthop=10.101.102.103
>>> > ## To authorize this connection, but not actually start it,
>>> > ## at startup, uncomment this.
>>> > ##auto=add
>>> >
>>> >
>>> > conn telphin
>>> > left=1.1.1.123 # left for local
>>> > leftsubnet=10.128.139.0/24 <http://10.128.139.0/24>
>>> > leftnexthop=%defaultroute
>>> > right=2.2.2.2 # right for remote
>>> > rightsubnet=10.128.0.0/24 <http://10.128.0.0/24>
>>> > rightnexthop=%defaultroute
>>> > type=tunnel
>>> > authby=secret
>>> > auto=start
>>> > auth=esp
>>> > keyexchange=ike
>>> > ike=3des-sha1-modp1024!
>>> > esp=3des-sha1!
>>> > pfs=yes
>>> >
>>> > ipsec.conf end
>>> >
>>> >
>>> > status start
>>> >
>>> > ipsec auto --status
>>> > 000 using kernel interface: netkey
>>> > 000 interface lo/lo ::1
>>> > 000 interface lo/lo 127.0.0.1
>>> > 000 interface eth0/eth0 1.1.1.123
>>> > 000 interface tun0/tun0 10.128.139.1
>>> > 000 %myid = (none)
>>> > 000 debug none
>>> > 000
>>> > 000 virtual_private (%priv):
>>> > 000 - allowed 6 subnets: 10.0.0.0/8 <http://10.0.0.0/8>,
>>> 192.168.0.0/16
>>> > <http://192.168.0.0/16>, 172.16.0.0/12 <http://172.16.0.0/12>,
>>> > 25.0.0.0/8 <http://25.0.0.0/8>, fd00::/8, fe80::/10
>>> > 000 - disallowed 0 subnets:
>>> > 000 WARNING: Disallowed subnets in virtual_private= is empty. If you
>>> have
>>> > 000 private address space in internal use, it should be
>>> excluded!
>>> > 000
>>> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
>>> > keysizemax=64
>>> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>>> keysizemin=192,
>>> > keysizemax=192
>>> > 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
>>> > keysizemax=128
>>> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>>> > keysizemin=40, keysizemax=448
>>> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>>> > keysizemax=0
>>> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>>> keysizemin=128,
>>> > keysizemax=256
>>> > 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>>> > keysizemin=160, keysizemax=288
>>> > 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>>> > keysizemin=128, keysizemax=256
>>> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>>> > keysizemin=128, keysizemax=128
>>> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>>> > keysizemin=160, keysizemax=160
>>> > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>>> > keysizemin=256, keysizemax=256
>>> > 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
>>> > keysizemin=384, keysizemax=384
>>> > 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
>>> > keysizemin=512, keysizemax=512
>>> > 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
>>> > keysizemin=160, keysizemax=160
>>> > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>>> > keysizemin=128, keysizemax=128
>>> > 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
>>> > keysizemin=0, keysizemax=0
>>> > 000
>>> > 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>>> keydeflen=131
>>> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>>> > keydeflen=192
>>> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>>> > keydeflen=128
>>> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>>> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>>> > 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>>> > 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>>> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>>> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>>> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
>>> bits=2048
>>> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
>>> bits=3072
>>> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
>>> bits=4096
>>> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
>>> bits=6144
>>> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
>>> bits=8192
>>> > 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>>> > 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>>> > 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>>> > 000
>>> > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
>>> > trans={0,2,1536} attrs={0,2,2048}
>>> > 000
>>> > 000 "telphin": 10.128.139.0/24===1.1.1.123
>>> > <http://10.128.139.0/24===1.1.1.123
>>> ><1.1.1.123>---1.1.1.1...1.1.1.1---2.2.2.2<2.2.2.2>===10.128.0.0/24
>>> > <http://10.128.0.0/24>; prospective erouted; eroute owner: #0
>>> > 000 "telphin": myip=unset; hisip=unset;
>>> > 000 "telphin": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
>>> > 540s; rekey_fuzz: 100%; keyingtries: 0
>>> > 000 "telphin": policy:
>>> > PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
>>> > interface: eth0;
>>> > 000 "telphin": newest ISAKMP SA: #1; newest IPsec SA: #0;
>>> > 000 "telphin": IKE algorithms wanted:
>>> > 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=strict
>>> > 000 "telphin": IKE algorithms found:
>>> > 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>>> > 000 "telphin": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
>>> > 000 "telphin": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000;
>>> > flags=strict
>>> > 000 "telphin": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
>>> > 000
>>> > 000 #2: "telphin":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
>>> > EVENT_RETRANSMIT in 33s; lastdpd=-1s(seq in:0 out:0); idle;
>>> import:admin
>>> > initiate
>>> > 000 #1: "telphin":500 STATE_MAIN_I4 (ISAKMP SA established);
>>> > EVENT_SA_REPLACE in 2792s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0);
>>> > idle; import:admin initiate
>>> > 000
>>> >
>>> > status end
>>> >
>>> >
>>> > log file start
>>> >
>>> > Apr 15 18:34:38 vm12202 ipsec__plutorun: Starting Pluto subsystem...
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: Starting Pluto (Openswan Version
>>> > 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:4039
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: LEAK_DETECTIVE support [disabled]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: OCF support for IKE [disabled]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: SAref support [disabled]: Protocol
>>> > not available
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: SAbind support [disabled]:
>>> Protocol
>>> > not available
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: NSS support [disabled]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: HAVE_STATSD notification support
>>> > not compiled in
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: Setting NAT-Traversal port-4500
>>> > floating to off
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: port floating activation
>>> > criteria nat_t=0/port_float=1
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: NAT-Traversal support
>>> [disabled]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: using /dev/urandom as source of
>>> > random entropy
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > OAKLEY_AES_CBC: Ok (ret=0)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash():
>>> Activating
>>> > OAKLEY_SHA2_512: Ok (ret=0)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_hash():
>>> Activating
>>> > OAKLEY_SHA2_256: Ok (ret=0)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: starting up 1 cryptographic
>>> helpers
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: started helper pid=4041 (fd:6)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: Using Linux 2.6 IPsec interface
>>> > code on 3.1.0-1.2-xen (experimental code)
>>> > Apr 15 18:34:38 vm12202 pluto[4041]: using /dev/urandom as source of
>>> > random entropy
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > aes_ccm_8: Ok (ret=0)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type
>>> > '0', algo_id '0', Algorithm type already exists
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > aes_ccm_12: FAILED (ret=-17)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type
>>> > '0', algo_id '0', Algorithm type already exists
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > aes_ccm_16: FAILED (ret=-17)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type
>>> > '0', algo_id '0', Algorithm type already exists
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > aes_gcm_8: FAILED (ret=-17)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type
>>> > '0', algo_id '0', Algorithm type already exists
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > aes_gcm_12: FAILED (ret=-17)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_add(): ERROR: algo_type
>>> > '0', algo_id '0', Algorithm type already exists
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: ike_alg_register_enc(): Activating
>>> > aes_gcm_16: FAILED (ret=-17)
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: added connection description
>>> "telphin"
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: listening for IKE messages
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface tun0/tun0
>>> > 10.128.139.1:500 <http://10.128.139.1:500>
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface eth0/eth0
>>> > 1.1.1.123:500 <http://1.1.1.123:500>
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo
>>> > 127.0.0.1:500 <http://127.0.0.1:500>
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: adding interface lo/lo ::1:500
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: loading secrets from
>>> > "/etc/ipsec.secrets"
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: initiating Main Mode
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from
>>> state
>>> > STATE_MAIN_I1 to state STATE_MAIN_I2
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I2: sent
>>> > MI2, expecting MR2
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID
>>> > payload [Cisco-Unity]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID
>>> > payload [Dead Peer Detection]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring unknown
>>> > Vendor ID payload [24f71717df62d1ed92fbaa8e988a9af6]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received Vendor ID
>>> > payload [XAUTH]
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from
>>> state
>>> > STATE_MAIN_I2 to state STATE_MAIN_I3
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I3: sent
>>> > MI3, expecting MR3
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: Main mode peer ID is
>>> > ID_IPV4_ADDR: '2.2.2.2'
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: transition from
>>> state
>>> > STATE_MAIN_I3 to state STATE_MAIN_I4
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: STATE_MAIN_I4:
>>> ISAKMP
>>> > SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
>>> > prf=oakley_sha group=modp1024}
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #2: initiating Quick
>>> Mode
>>> > PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>>> > msgid:cccf4cf7 proposal=3DES(3)_192-SHA1(2)_160
>>> > pfsgroup=OAKLEY_GROUP_MODP1024}
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: ignoring
>>> > informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
>>> > Apr 15 18:34:38 vm12202 pluto[4039]: "telphin" #1: received and ignored
>>> > informational message
>>> >
>>> > log file end
>>> >
>>> >
>>> > _______________________________________________
>>> > Users at lists.openswan.org
>>> > https://lists.openswan.org/mailman/listinfo/users
>>> > Micropayments:
>>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> > Building and Integrating Virtual Private Networks with Openswan:
>>> >
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> >
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130416/411d6367/attachment-0001.html>
More information about the Users
mailing list