RES: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2

Alberto Fabiano alberto at combat.com.br
Thu Oct 2 07:58:07 EDT 2003 

Hi Jean-Francois,

	I already made some experiences, but now I verified that the trouble there
is in the following point:

	- ignoring informational payload, type NO_PROPOSAL_CHOSEN

	- max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal

      I found several references on this message (some 18 in Google) but up
to now I didn't get to identify indeed what is, maybe for my poor experience
with FreeSWAN.

	Thankful to all for the helps, but I still seek a light! :-)


Att.
[]´s++

./alberto -fabiano




> -----Mensagem original-----
> De: Jean-Francois Dive [mailto:jef at linuxbe.org]
> Enviada em: terça-feira, 30 de setembro de 2003 08:02
> Para: Alberto Fabiano
> Cc: Vpn
> Assunto: Re: [VPN] FreeSWAN CA 2.02 x PIX - Trouble in phase 2
>
>
> you dont see the answer from the PIX, sounds like the problem is in the
> PIX or freeswan side p2 parameter negociation. I would have expected the
> PIX to send back an informational message. Send us the PIX log's /
> config related to IPSec. Check that the selector (proxy identities in
> cisco terms) do match properly.
>
> JeF
>
> On Sun, 2003-09-28 at 01:22, Alberto Fabiano wrote:
> > Mrs,
> >
> > 	After an exhausting research for Google and reading of
> several materials,
> > the conclusion that I am needing help urgently arrive! : -)
> >
> > 	I have a FreeSWan CA 2.02 and am trying to stablish a
> tunnel with a PIX
> > through 3DES, MD5, IKE dh 2, using PSK the some days and am not
> I obtaining
> > success in the phase 2 of IPSec, will it be that anybody could
> feel a help?
> >
> > 	In an initial moment, I got to close VPN (phase 1 and 2)
> and I made some
> > tests without a lot of headaches, but now, I don't know because am not
> > getting more to close.
> >
> > 	It follows the parts of my ipsec.conf below, whack status
> and related to
> > this tunnel.
> >
> >
> > # cat /var/chroot-ipsec/etc/ipsec.conf
> >
> > #
> > # Default Configuration File for FreeS/WAN IPSEC
> > #
> >
> > config setup
> >         interfaces="ipsec0=eth0"
> >         klipsdebug=none
> >         plutodebug=all
> >         dumpdir=
> >         manualstart=
> >         fragicmp=no
> >         packetdefault=drop
> >         hidetos=yes
> >         uniqueids=yes
> >         overridemtu=16260
> >         nocrsend=yes
> >         nat_traversal=yes
> >         keep_alive=60
> >
> > conn %default
> >         rekeymargin=9m
> >         rekeyfuzz=100%
> >         keyingtries=0
> >
> > conn VPN_5
> >         type=tunnel
> >         keyexchange=ike
> >         pfsgroup=modp1024
> >         pfs=yes
> >         auto=start
> >         authby=secret
> >         ike=3des-md5-modp1024
> >         esp=3des-md5-96
> >         keylife=28800
> >         ikelifetime=2880
> >         compress=no
> >         left=192.168.1.22
> >         leftsubnet=192.168.1.5/255.255.255.255
> >         leftnexthop=10.10.1.119
> >         right=10.10.18.143
> >         rightsubnet=10.10.18.146/255.255.255.255
> >         rightnexthop=10.10.38.10
> >         leftupdown="/opt/_updown 2>/tmp/log 1>/tmp/log"
> >         rightupdown="/opt/_updown 2>/tmp/log 1>/tmp/log"
> >         leftid=192.168.1.22
> >         rightid=10.10.18.143
> >
> >
> > # chroot /var/chroot-ipsec/ /usr/local/lib/ipsec/whack --status
> >
> > 000 interface ipsec0/eth0 192.168.1.22
> > 000 interface ipsec0/eth0 192.168.1.22
> > 000
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
> keysizemin=168,
> > keysizemax=168
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128,keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000
> > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,6,36}
> > trans={0,6,96} attrs={0,6,160}
> > 000
> >
> > 000 "VPN_5":
> >
> 192.168.1.5/32===192.168.1.22---10.10.1.119...10.10.38.10---10.10.
> 18.143===1
> > 0.10.18.146/32
> > 000 "VPN_5":   ike_life: 2880s; ipsec_life: 28800s; rekey_margin: 540s;
> > rekey_fuzz: 100%; keyingtries: 0
> > 000 "VPN_5":   policy: PSK+ENCRYPT+TUNNEL+PFS; interface: eth0;
> trap erouted
> > 000 "VPN_5":   newest ISAKMP SA: #1; newest IPsec SA: #0;
> eroute owner: #0
> > 000 "VPN_5":   IKE algorithms wanted: 5_000-1-2, flags=-strict
> > 000 "VPN_5":   IKE algorithms found:  5_192-1_128-2,
> > 000 "VPN_5":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> > 000 "VPN_5":   ESP algorithms wanted: 3_000-1, ; pfsgroup=2;
> flags=strict
> > 000 "VPN_5":   ESP algorithms loaded: 3_168-1_128,
> > 000
> > 000 #6: "VPN_5" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT
> > in 4s
> > 000 #1: "VPN_5" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in
> > 1673s; newest ISAKMP
> > 000
> >
> >
> > 	Awaiting help for my problem...
> >
> > Thanks for all!!!
> > - Kind Regards.
> >
> >
> >
> > Alberto Fabiano Caires de Medeiros
> >
> --------------------------------------------------------------------------
> > e-mail: alberto at combat.com.br
> >
> --------------------------------------------------------------------------
> >
> >
> > -----BEGIN PGP PUBLIC KEY BLOCK-----
> >
> > mQGiBD9spjwRBACQ2aQEqcQyGxaoNX4Zvk/9v6fCxyPWAcBQSSiPjJyi3cXa9kLB
> > XsQjdgBY90x45wFwI0QwneWFCP364YZXdo7ZRPiLjI+qV6expjCIIm/LXi1LphwK
> > 6l87HYbm74a2T6mdxRmxhCrgsA+ezSCEkMA9YolPw2r+ufvp59IrrYHrcwCg5aTW
> > LbsbVQ2i+beAfpFPw8muW1kEAINssb8RXbilwIL6k7ZPbHQghkTIM7iIK5eGwMOx
> > lYtmzoA2tCzJla0tp9G1ls2hW12d6io80P5jbYpx+17nhPV49oVA6yKGJNCaTAzi
> > uyRxUYOYhSyS8PXxOPp600NGJ8qiX53JEPKPLxoiF/HG6EWihEIDFqvI11mIEcfi
> > WFTDA/0SKjjkKt+S1fk42AbnE39pz1Kn6av2hYz00DX4XensZcnmmcbA1eO0a+TP
> > foTl0x2ipHN7eymcVudDVU6fbQu18SJa+rSutW3GBmreRDi0NQ4vilCAVueyQpVP
> > WS/jnOcw+uQp2PRkY8ylKxIOcgQZqy56jCEcbFH/eTxTfqA6c7REQWxiZXJ0byBG
> > YWJpYW5vIENhaXJlcyBkZSBNZWRlaXJvcyAoazRsMXBzMCkgPGFsYmVydG9AY29t
> > YmF0LmNvbS5icj6IWwQTEQIAGwUCP2ymPAYLCQgHAwIDFQIDAxYCAQIeAQIXgAAK
> > CRDlbFd4k92tdCi4AJ9EyxOlZMrAdINGlB6GBs9/jG3omwCfdLbqML4sXLCMoXU/
> > dJNLLC+lBSK5AQ0EP2ymQBAEAL5xjfRLFgxBVEiBK3Kr+1y75euY5nKC8H0CJy93
> > w0YTB2E3DMVNFBX6woj7jnoW5+F+/a0+iVfOgkHWeGbvE7ZghCphrb4AOa2j3DHA
> > eP2GNQarNEqP1v3RYa8e7WNEUx/RVnhxeW7XMsX7ylGx9e8QTTwAEFFc3gUoiYTn
> > 2ljrAAMFA/4gDsxYp68UWniwzSCFgq16a6ATscTF45aPq0ROkUepWIMKY2/X/FQc
> > e4FMSzRWC38fKILrkxhoaWIx1r2MFUiQtk3ItdXSDh5u2D/U+nHQqhYcgqjTzsfK
> > 659HXw5GzmzbpueKymD6wsU1uYf9sq7dYxqQBJMleNB6vZi+ODZmRYhGBBgRAgAG
> > BQI/bKZAAAoJEOVsV3iT3a1098cAn0BnS7NFu98qLc7XQL//rBh94EqzAJ9KGwCF
> > K15S/3LqsNGqQEMRdzdQaw==
> > =R5pw
> > -----END PGP PUBLIC KEY BLOCK-----
> >
> > ---
> > Outgoing mail is certified Virus Free.
> > Checked by AVG anti-virus system (http://www.grisoft.com).
> > Version: 6.0.521 / Virus Database: 319 - Release Date: 23/9/2003
> >
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> --
>
> -> Jean-Francois Dive
> --> jef at linuxbe.org
>
> I think that God in creating Man somewhat overestimated his ability.
> -- Oscar Wilde
>
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.522 / Virus Database: 320 - Release Date: 29/9/2003
>
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.522 / Virus Database: 320 - Release Date: 29/9/2003

More information about the VPN mailing list