Discussion:
[Openswan Users] openSWAN to Cisco IOS
Glenn Henshaw
2006-08-22 15:53:54 UTC
Permalink
Having resolved some of the protocol incompatibilities, I can now
get the connection to progress past the key exchange. It stops before
bringing up the tunnel declaring "NO_PROPOSAL_CHOSEN". The Cisco end
thinks that the tunnel is up until the keep-alive expires.

What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?


... Glenn


openSWAN config:
version 2.0
config setup
interfaces=%defaultroute
klipsdebug="none"
plutodebug="control"
nat_traversal=yes

conn host
# host specific configuration
esp=3des-sha1-1024
ike=3des-sha1-1024
pfs=no
keyexchange=ike
# basic configuration
type=tunnel
left=%defaultroute
leftnexthop=%defaultroute
leftid=@xxxxxxxxx
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.0.0/8
authby=secret
auto=start

#disable opportunistic encryption
include /etc/config/ipsec.d/examples/no_oe.conf

Cisco Config: (abbreviated)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local xxxxxxxxxxxx
!
crypto isakmp profile L2L
keyring QP_Spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set QP_Set esp-3des esp-sha-hmac
!
crypto dynamic-map xxxxxxxxxxx 40
set transform-set QP_Set
set isakmp-profile L2L
!



openSWAN startup:
# ipsec auto --up host
104 "host" #3: STATE_MAIN_I1: initiate
003 "host" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-
ike-03] method set to=108
106 "host" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "host" #3: received Vendor ID payload [Cisco-Unity]
003 "host" #3: received Vendor ID payload [Dead Peer Detection]
003 "host" #3: ignoring unknown Vendor ID payload
[0c447920daaa628dce64a39fb745f11d]
003 "host" #3: received Vendor ID payload [XAUTH]
003 "host" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
ike-02/03: i am NATed
108 "host" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "host" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "host" #4: STATE_QUICK_I1: initiate
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "host" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal000 "host" #4: starting keying
attempt 2 of an unlimited number, but releasing whack


local logs:
<83>Aug 21 16:53:18.406 2006 ipsec__plutorun: Starting Pluto
subsystem...
<84>Aug 21 16:53:18.597 2006 pluto[5458]: Starting Pluto (Openswan
Version 2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
Vendor ID OESTg[~***@__)
<84>Aug 21 16:53:18.599 2006 pluto[5458]: Setting NAT-Traversal
port-4500 floating to on
<84>Aug 21 16:53:18.600 2006 pluto[5458]: port floating activation
criteria nat_t=1/port_fload=1
<84>Aug 21 16:53:18.602 2006 pluto[5458]: including NAT-Traversal
patch (Version 0.6c)
<87>Aug 21 16:53:18.603 2006 pluto[5458]: | opening /dev/urandom
<87>Aug 21 16:53:18.613 2006 pluto[5458]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
<87>Aug 21 16:53:18.633 2006 pluto[5458]: | inserting event
EVENT_PENDING_PHASE2, timeout in 120 seconds
<84>Aug 21 16:53:18.639 2006 pluto[5458]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
<84>Aug 21 16:53:18.641 2006 pluto[5458]: starting up 1 cryptographic
helpers
<87>Aug 21 16:53:18.655 2006 pluto[5461]: | opening /dev/urandom
<84>Aug 21 16:53:18.657 2006 pluto[5458]: started helper pid=5461 (fd:5)
<84>Aug 21 16:53:18.660 2006 pluto[5458]: Using KLIPS IPsec interface
code on 2.4.27-uc1
<87>Aug 21 16:53:18.664 2006 pluto[5458]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
<87>Aug 21 16:53:18.673 2006 pluto[5461]: ! helper 0 waiting on fd: 7
<84>Aug 21 16:53:18.701 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/cacerts'
<84>Aug 21 16:53:18.749 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/aacerts'
<84>Aug 21 16:53:18.751 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/ocspcerts'
<84>Aug 21 16:53:18.753 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/crls'
<84>Aug 21 16:53:18.755 2006 pluto[5458]: Warning: empty directory
<87>Aug 21 16:53:18.757 2006 pluto[5458]: | inserting event
EVENT_LOG_DAILY, timeout in 25602 seconds
<87>Aug 21 16:53:18.758 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 120 seconds
<87>Aug 21 16:53:20.571 2006 pluto[5458]: |
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | Added new connection host
with policy PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.573 2006 pluto[5458]: | from whack: got --
esp=3des-sha1
<87>Aug 21 16:53:20.574 2006 pluto[5458]: | esp string values:
3_000-2, flags=strict
<87>Aug 21 16:53:20.574 2006 pluto[5458]: | from whack: got --ike=3des
<87>Aug 21 16:53:20.575 2006 pluto[5458]: | ike string values:
5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=strict
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
@xxxxxxx is 0
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
(none) is 15
<87>Aug 21 16:53:20.577 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=1
<87>Aug 21 16:53:20.583 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=2
<84>Aug 21 16:53:20.584 2006 pluto[5458]: added connection
description "host"
<87>Aug 21 16:53:20.585 2006 pluto[5458]: | 192.168.1.234
[@Pxxxxxxx]---192.168.1.2...xxx.xxx.xxx.xxx===10.0.0.0/8
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:20.807 2006 pluto[5458]: |
<87>Aug 21 16:53:20.808 2006 pluto[5458]: | *received whack message
<84>Aug 21 16:53:20.817 2006 pluto[5458]: listening for IKE messages
<87>Aug 21 16:53:20.818 2006 pluto[5458]: | found lo with address
127.0.0.1
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found ipsec0 with address
192.168.1.234
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found eth0 with address
192.168.4.1
<87>Aug 21 16:53:20.820 2006 pluto[5458]: | found eth1 with address
192.168.1.234
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:500
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:4500
<87>Aug 21 16:53:20.822 2006 pluto[5458]: | IP interface eth0
192.168.4.1 has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | IP interface lo 127.0.0.1
has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | could not open /proc/net/
if_inet6
<84>Aug 21 16:53:20.824 2006 pluto[5458]: loading secrets from "/etc/
config/ipsec.secrets"
<87>Aug 21 16:53:20.825 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:21.058 2006 pluto[5458]: |
<87>Aug 21 16:53:21.059 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.068 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.069 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | could_route called for
host (kind=CK_PERMANENT)
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.071 2006 pluto[5458]: | eroute_connection add
eroute 192.168.1.234/32:0 --0-> 10.0.0.0/8:0 => %trap (raw_eroute)
<87>Aug 21 16:53:21.072 2006 pluto[5458]: | route_and_eroute:
firewall_notified: true
<87>Aug 21 16:53:21.072 2006 pluto[5458]: | command executing prepare-
host
<87>Aug 21 16:53:21.073 2006 pluto[5458]: | executing prepare-host:
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_ID='@xxxxxxx' PLUTO_MY_CLIENT='192.168.1.234/32'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.229 2006 pluto[5458]: | command executing route-host
<87>Aug 21 16:53:21.230 2006 pluto[5458]: | executing route-host:
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_ID='@xxxxxxx' PLUTO_MY_CLIENT='192.168.1.234/32'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.433 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.664 2006 pluto[5458]: |
<87>Aug 21 16:53:21.665 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:21.674 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:21.675 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | creating state object #1
at 0xc19c8
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.677 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.679 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.680 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
<87>Aug 21 16:53:21.685 2006 pluto[5458]: | Queuing pending Quick
Mode with 208.250.50.193 "host"
<84>Aug 21 16:53:21.686 2006 pluto[5458]: "host" #1: initiating Main
Mode
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | sending 312 bytes for
main_outI1 through eth1:500 to 208.250.50.193:500:
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
<87>Aug 21 16:53:21.688 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<27>Aug 21 16:53:21.691 2006 ipsec__plutorun: 104 "host" #1:
STATE_MAIN_I1: initiate
<27>Aug 21 16:53:21.718 2006 ipsec__plutorun: ...could not start conn
"host"
<87>Aug 21 16:53:21.767 2006 pluto[5458]: |
<87>Aug 21 16:53:21.768 2006 pluto[5458]: | *received 100 bytes from
208.250.50.193:500 on eth1 (port=500)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.770 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.771 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state object not found
<87>Aug 21 16:53:21.773 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.780 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.781 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I1
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.783 2006 pluto[5458]: "host" #1: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | started looking for
secret for @xxxxxx->xxx.xxx.xxx.xxx of kind PPK_PSK
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | actually looking for
secret for @xxxxxxx->xxx.xxx.xxx.xxx of kind PPK_PSK
<87>Aug 21 16:53:21.785 2006 pluto[5458]: | 1: compared PSK
xxx.xxx.xxx.xxx to @xxxxxx / xxx.xxx.xxx.xxx -> 2
<87>Aug 21 16:53:21.786 2006 pluto[5458]: | 2: compared PSK @xxxxxxx
to @xxxxxxx / xxx.xxx.xxx.xxx -> 6
<87>Aug 21 16:53:21.786 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:21.787 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
<84>Aug 21 16:53:21.791 2006 pluto[5458]: "host" #1: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
<87>Aug 21 16:53:21.791 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:21.792 2006 pluto[5458]: | asking helper 0 to do
build_kenonce op on seq: 1
<87>Aug 21 16:53:21.793 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | complete state transition
with STF_SUSPEND
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.796 2006 pluto[5461]: ! helper -1 doing
build_kenonce op id: 1
<87>Aug 21 16:53:21.855 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.857 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.859 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.860 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:21.862 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
<87>Aug 21 16:53:21.866 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | sending 228 bytes for
STATE_MAIN_I1 through eth1:500 to xxx.xxx.xxx.xxx:500:
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
<84>Aug 21 16:53:21.868 2006 pluto[5458]: "host" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:21.870 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:21.933 2006 pluto[5458]: |
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | *received 304 bytes from
xxx.xxx.xxx.xxx:500 on eth1 (port=500)
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.935 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.936 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.938 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I2
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.940 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Cisco-Unity]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Dead Peer Detection]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: ignoring unknown
Vendor ID payload [0c447920129b6ee321fb0b4497074d62]
<84>Aug 21 16:53:21.947 2006 pluto[5458]: "host" #1: received Vendor
ID payload [XAUTH]
<87>Aug 21 16:53:21.948 2006 pluto[5458]: | thinking about whether to
send my certificate:
<87>Aug 21 16:53:21.948 2006 pluto[5458]: | I have RSA key:
OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
<87>Aug 21 16:53:21.949 2006 pluto[5458]: | sendcert:
CERT_ALWAYSSEND and I did not get a certificate request
<87>Aug 21 16:53:21.950 2006 pluto[5458]: | so do not send cert.
<84>Aug 21 16:53:21.950 2006 pluto[5458]: "host" #1: I did not send a
certificate because I do not have one.
<87>Aug 21 16:53:21.951 2006 pluto[5458]: | I am not sending a
certificate request
<87>Aug 21 16:53:21.952 2006 pluto[5458]: | started looking for
secret for @xxxxxxx->xxx.xxx.xxx.xxx of kind PPK_PSK
<87>Aug 21 16:53:21.953 2006 pluto[5458]: | actually looking for
secret for @xxxxxxx->xxx.xxx.xxx.xxx of kind PPK_PSK
<87>Aug 21 16:53:22.002 2006 pluto[5458]: | 1: compared PSK
xxx.xxx.xxx.xxx to @xxxxxxx / xxx.xxx.xxx.xxx -> 2
<87>Aug 21 16:53:22.003 2006 pluto[5458]: | 2: compared PSK @xxxxxxx
to @xxxxxxx / xxx.xxx.xxx.xxx -> 6
<87>Aug 21 16:53:22.003 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:22.004 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
<84>Aug 21 16:53:22.005 2006 pluto[5458]: "host" #1: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.007 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
<87>Aug 21 16:53:22.009 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:22.011 2006 pluto[5458]: | sending 68 bytes for
STATE_MAIN_I2 through eth1:4500 to xxx.xxx.xxx.xxx:4500:
<87>Aug 21 16:53:22.012 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
<84>Aug 21 16:53:22.014 2006 pluto[5458]: "host" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
<87>Aug 21 16:53:22.015 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.017 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.018 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:22.076 2006 pluto[5458]: |
<87>Aug 21 16:53:22.078 2006 pluto[5458]: | *received 68 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.079 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:22.081 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.082 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.084 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.085 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.086 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:22.088 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I3
<87>Aug 21 16:53:22.089 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.091 2006 pluto[5458]: | protocol/port in Phase 1
ID Payload is 17/0. accepted with port_floating NAT-T
<84>Aug 21 16:53:22.092 2006 pluto[5458]: "host" #1: Main mode peer
ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
<87>Aug 21 16:53:22.094 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.095 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
<87>Aug 21 16:53:22.097 2006 pluto[5458]: | inserting event
EVENT_SA_REPLACE, timeout in 2601 seconds for #1
<84>Aug 21 16:53:22.099 2006 pluto[5458]: "host" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
<87>Aug 21 16:53:22.100 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.101 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.103 2006 pluto[5458]: | unqueuing pending Quick
Mode with 208.250.50.193 "host"
<87>Aug 21 16:53:22.104 2006 pluto[5458]: | duplicating state object #1
<87>Aug 21 16:53:22.106 2006 pluto[5458]: | creating state object #2
at 0xc3698
<87>Aug 21 16:53:22.107 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.109 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.111 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.112 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.114 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.115 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
<84>Aug 21 16:53:22.117 2006 pluto[5458]: "host" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
<87>Aug 21 16:53:22.118 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:22.120 2006 pluto[5458]: | asking helper 0 to do
build_nonce op on seq: 2
<87>Aug 21 16:53:22.121 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
<87>Aug 21 16:53:22.123 2006 pluto[5458]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
<87>Aug 21 16:53:22.124 2006 pluto[5461]: ! helper -1 doing
build_nonce op id: 2
<87>Aug 21 16:53:22.129 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.131 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:22.132 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:22.134 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:22.136 2006 pluto[5458]: | generate SPI: e4 1c fe 60
<87>Aug 21 16:53:22.138 2006 pluto[5458]: | sending 148 bytes for
quick_outI1 through eth1:4500 to 208.250.50.193:4500:
<87>Aug 21 16:53:22.140 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
<87>Aug 21 16:53:22.141 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
<87>Aug 21 16:53:22.192 2006 pluto[5458]: |
<87>Aug 21 16:53:22.194 2006 pluto[5458]: | *received 124 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.195 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_INFO (5)
<87>Aug 21 16:53:22.196 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.198 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.199 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.201 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.202 2006 pluto[5458]: | peer and cookies match on
#2, provided msgid 00000000 vs 810d28c6/00000000
<87>Aug 21 16:53:22.204 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000/00000000
<87>Aug 21 16:53:22.205 2006 pluto[5458]: | p15 state object #1
found, in STATE_MAIN_I4
<87>Aug 21 16:53:22.206 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:22.208 2006 pluto[5458]: "host" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
<87>Aug 21 16:53:22.210 2006 pluto[5458]: | processing informational
NO_PROPOSAL_CHOSEN (14)
<84>Aug 21 16:53:22.211 2006 pluto[5458]: "host" #1: received and
ignored informational message
<87>Aug 21 16:53:22.213 2006 pluto[5458]: | complete state transition
with STF_IGNORE
<87>Aug 21 16:53:22.214 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
--
Glenn Henshaw Logical Outcome Ltd.
e: ***@logicaloutcome.ca w: www.logicaloutcome.ca
Andy Gay
2006-08-22 16:22:56 UTC
Permalink
Post by Glenn Henshaw
Having resolved some of the protocol incompatibilities, I can now
get the connection to progress past the key exchange. It stops before
bringing up the tunnel declaring "NO_PROPOSAL_CHOSEN". The Cisco end
thinks that the tunnel is up until the keep-alive expires.
What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?
The 2 ends can't agree on phase2 parameters. Everything has to match -
left/right subnets, encryption/authentication algorithms, PFS, probably
more...

I don't think you're showing us enough of the cisco config. Shouldn't
there be a crypto map that references the dynamic map? That's how it
works on a PIX, maybe IOS is different.

I'm guessing you probably need an ACL in the cisco which matches your
left/rightsubnets, that needs to be referenced in the crypto map
(something like "crypto map xx match address <acl>").

Debug logs from the cisco will help. And your openswan logs will be much
easier to read if you set plutodebug="none"....
Post by Glenn Henshaw
... Glenn
version 2.0
config setup
interfaces=%defaultroute
klipsdebug="none"
plutodebug="control"
nat_traversal=yes
conn host
# host specific configuration
esp=3des-sha1-1024
ike=3des-sha1-1024
pfs=no
keyexchange=ike
# basic configuration
type=tunnel
left=%defaultroute
leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.0.0/8
authby=secret
auto=start
#disable opportunistic encryption
include /etc/config/ipsec.d/examples/no_oe.conf
Cisco Config: (abbreviated)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local xxxxxxxxxxxx
!
crypto isakmp profile L2L
keyring QP_Spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set QP_Set esp-3des esp-sha-hmac
!
crypto dynamic-map xxxxxxxxxxx 40
set transform-set QP_Set
set isakmp-profile L2L
!
# ipsec auto --up host
104 "host" #3: STATE_MAIN_I1: initiate
003 "host" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-
ike-03] method set to=108
106 "host" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "host" #3: received Vendor ID payload [Cisco-Unity]
003 "host" #3: received Vendor ID payload [Dead Peer Detection]
003 "host" #3: ignoring unknown Vendor ID payload
[0c447920daaa628dce64a39fb745f11d]
003 "host" #3: received Vendor ID payload [XAUTH]
003 "host" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
ike-02/03: i am NATed
108 "host" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "host" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "host" #4: STATE_QUICK_I1: initiate
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "host" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal000 "host" #4: starting keying
attempt 2 of an unlimited number, but releasing whack
<83>Aug 21 16:53:18.406 2006 ipsec__plutorun: Starting Pluto
subsystem...
<84>Aug 21 16:53:18.597 2006 pluto[5458]: Starting Pluto (Openswan
Version 2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
<84>Aug 21 16:53:18.599 2006 pluto[5458]: Setting NAT-Traversal
port-4500 floating to on
<84>Aug 21 16:53:18.600 2006 pluto[5458]: port floating activation
criteria nat_t=1/port_fload=1
<84>Aug 21 16:53:18.602 2006 pluto[5458]: including NAT-Traversal
patch (Version 0.6c)
<87>Aug 21 16:53:18.603 2006 pluto[5458]: | opening /dev/urandom
<87>Aug 21 16:53:18.613 2006 pluto[5458]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
<87>Aug 21 16:53:18.633 2006 pluto[5458]: | inserting event
EVENT_PENDING_PHASE2, timeout in 120 seconds
Activating OAKLEY_AES_CBC: Ok (ret=0)
<84>Aug 21 16:53:18.641 2006 pluto[5458]: starting up 1 cryptographic
helpers
<87>Aug 21 16:53:18.655 2006 pluto[5461]: | opening /dev/urandom
<84>Aug 21 16:53:18.657 2006 pluto[5458]: started helper pid=5461 (fd:5)
<84>Aug 21 16:53:18.660 2006 pluto[5458]: Using KLIPS IPsec interface
code on 2.4.27-uc1
<87>Aug 21 16:53:18.664 2006 pluto[5458]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
<87>Aug 21 16:53:18.673 2006 pluto[5461]: ! helper 0 waiting on fd: 7
<84>Aug 21 16:53:18.701 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/cacerts'
<84>Aug 21 16:53:18.749 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/aacerts'
<84>Aug 21 16:53:18.751 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/ocspcerts'
<84>Aug 21 16:53:18.753 2006 pluto[5458]: Changing to directory '/etc/
config/ipsec.d/crls'
<84>Aug 21 16:53:18.755 2006 pluto[5458]: Warning: empty directory
<87>Aug 21 16:53:18.757 2006 pluto[5458]: | inserting event
EVENT_LOG_DAILY, timeout in 25602 seconds
<87>Aug 21 16:53:18.758 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 120 seconds
<87>Aug 21 16:53:20.571 2006 pluto[5458]: |
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | Added new connection host
with policy PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.573 2006 pluto[5458]: | from whack: got --
esp=3des-sha1
3_000-2, flags=strict
<87>Aug 21 16:53:20.574 2006 pluto[5458]: | from whack: got --ike=3des
5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=strict
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
@xxxxxxx is 0
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
(none) is 15
<87>Aug 21 16:53:20.577 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=1
<87>Aug 21 16:53:20.583 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=2
<84>Aug 21 16:53:20.584 2006 pluto[5458]: added connection
description "host"
<87>Aug 21 16:53:20.585 2006 pluto[5458]: | 192.168.1.234
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:20.807 2006 pluto[5458]: |
<87>Aug 21 16:53:20.808 2006 pluto[5458]: | *received whack message
<84>Aug 21 16:53:20.817 2006 pluto[5458]: listening for IKE messages
<87>Aug 21 16:53:20.818 2006 pluto[5458]: | found lo with address
127.0.0.1
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found ipsec0 with address
192.168.1.234
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found eth0 with address
192.168.4.1
<87>Aug 21 16:53:20.820 2006 pluto[5458]: | found eth1 with address
192.168.1.234
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:500
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:4500
<87>Aug 21 16:53:20.822 2006 pluto[5458]: | IP interface eth0
192.168.4.1 has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | IP interface lo 127.0.0.1
has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | could not open /proc/net/
if_inet6
<84>Aug 21 16:53:20.824 2006 pluto[5458]: loading secrets from "/etc/
config/ipsec.secrets"
<87>Aug 21 16:53:20.825 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:21.058 2006 pluto[5458]: |
<87>Aug 21 16:53:21.059 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.068 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.069 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | could_route called for
host (kind=CK_PERMANENT)
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.071 2006 pluto[5458]: | eroute_connection add
eroute 192.168.1.234/32:0 --0-> 10.0.0.0/8:0 => %trap (raw_eroute)
firewall_notified: true
<87>Aug 21 16:53:21.072 2006 pluto[5458]: | command executing prepare-
host
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.229 2006 pluto[5458]: | command executing route-host
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.433 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.664 2006 pluto[5458]: |
<87>Aug 21 16:53:21.665 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:21.674 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:21.675 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | creating state object #1
at 0xc19c8
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.677 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.679 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.680 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
<87>Aug 21 16:53:21.685 2006 pluto[5458]: | Queuing pending Quick
Mode with 208.250.50.193 "host"
<84>Aug 21 16:53:21.686 2006 pluto[5458]: "host" #1: initiating Main
Mode
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | sending 312 bytes for
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
<87>Aug 21 16:53:21.688 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
STATE_MAIN_I1: initiate
<27>Aug 21 16:53:21.718 2006 ipsec__plutorun: ...could not start conn
"host"
<87>Aug 21 16:53:21.767 2006 pluto[5458]: |
<87>Aug 21 16:53:21.768 2006 pluto[5458]: | *received 100 bytes from
208.250.50.193:500 on eth1 (port=500)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.770 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.771 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state object not found
<87>Aug 21 16:53:21.773 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.780 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.781 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I1
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.783 2006 pluto[5458]: "host" #1: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | started looking for
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | actually looking for
<87>Aug 21 16:53:21.785 2006 pluto[5458]: | 1: compared PSK
<87>Aug 21 16:53:21.786 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:21.787 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
<84>Aug 21 16:53:21.791 2006 pluto[5458]: "host" #1: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
<87>Aug 21 16:53:21.791 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:21.792 2006 pluto[5458]: | asking helper 0 to do
build_kenonce op on seq: 1
<87>Aug 21 16:53:21.793 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | complete state transition
with STF_SUSPEND
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.796 2006 pluto[5461]: ! helper -1 doing
build_kenonce op id: 1
<87>Aug 21 16:53:21.855 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.857 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.859 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.860 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:21.862 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
<87>Aug 21 16:53:21.866 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | sending 228 bytes for
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
sent MI2, expecting MR2
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:21.870 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:21.933 2006 pluto[5458]: |
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | *received 304 bytes from
xxx.xxx.xxx.xxx:500 on eth1 (port=500)
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.935 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.936 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.938 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I2
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.940 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Cisco-Unity]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Dead Peer Detection]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: ignoring unknown
Vendor ID payload [0c447920129b6ee321fb0b4497074d62]
<84>Aug 21 16:53:21.947 2006 pluto[5458]: "host" #1: received Vendor
ID payload [XAUTH]
<87>Aug 21 16:53:21.948 2006 pluto[5458]: | thinking about whether to
OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
CERT_ALWAYSSEND and I did not get a certificate request
<87>Aug 21 16:53:21.950 2006 pluto[5458]: | so do not send cert.
<84>Aug 21 16:53:21.950 2006 pluto[5458]: "host" #1: I did not send a
certificate because I do not have one.
<87>Aug 21 16:53:21.951 2006 pluto[5458]: | I am not sending a
certificate request
<87>Aug 21 16:53:21.952 2006 pluto[5458]: | started looking for
<87>Aug 21 16:53:21.953 2006 pluto[5458]: | actually looking for
<87>Aug 21 16:53:22.002 2006 pluto[5458]: | 1: compared PSK
<87>Aug 21 16:53:22.003 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:22.004 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.007 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
<87>Aug 21 16:53:22.009 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:22.011 2006 pluto[5458]: | sending 68 bytes for
<87>Aug 21 16:53:22.012 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
sent MI3, expecting MR3
<87>Aug 21 16:53:22.015 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.017 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.018 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:22.076 2006 pluto[5458]: |
<87>Aug 21 16:53:22.078 2006 pluto[5458]: | *received 68 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.079 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:22.081 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.082 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.084 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.085 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.086 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:22.088 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I3
<87>Aug 21 16:53:22.089 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.091 2006 pluto[5458]: | protocol/port in Phase 1
ID Payload is 17/0. accepted with port_floating NAT-T
<84>Aug 21 16:53:22.092 2006 pluto[5458]: "host" #1: Main mode peer
ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
<87>Aug 21 16:53:22.094 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.095 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
<87>Aug 21 16:53:22.097 2006 pluto[5458]: | inserting event
EVENT_SA_REPLACE, timeout in 2601 seconds for #1
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
<87>Aug 21 16:53:22.100 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.101 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.103 2006 pluto[5458]: | unqueuing pending Quick
Mode with 208.250.50.193 "host"
<87>Aug 21 16:53:22.104 2006 pluto[5458]: | duplicating state object #1
<87>Aug 21 16:53:22.106 2006 pluto[5458]: | creating state object #2
at 0xc3698
<87>Aug 21 16:53:22.107 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.109 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.111 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.112 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.114 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.115 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
<84>Aug 21 16:53:22.117 2006 pluto[5458]: "host" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
<87>Aug 21 16:53:22.118 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:22.120 2006 pluto[5458]: | asking helper 0 to do
build_nonce op on seq: 2
<87>Aug 21 16:53:22.121 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
<87>Aug 21 16:53:22.123 2006 pluto[5458]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
<87>Aug 21 16:53:22.124 2006 pluto[5461]: ! helper -1 doing
build_nonce op id: 2
<87>Aug 21 16:53:22.129 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.131 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:22.132 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:22.134 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:22.136 2006 pluto[5458]: | generate SPI: e4 1c fe 60
<87>Aug 21 16:53:22.138 2006 pluto[5458]: | sending 148 bytes for
<87>Aug 21 16:53:22.140 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
<87>Aug 21 16:53:22.141 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
<87>Aug 21 16:53:22.192 2006 pluto[5458]: |
<87>Aug 21 16:53:22.194 2006 pluto[5458]: | *received 124 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.195 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_INFO (5)
<87>Aug 21 16:53:22.196 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.198 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.199 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.201 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.202 2006 pluto[5458]: | peer and cookies match on
#2, provided msgid 00000000 vs 810d28c6/00000000
<87>Aug 21 16:53:22.204 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000/00000000
<87>Aug 21 16:53:22.205 2006 pluto[5458]: | p15 state object #1
found, in STATE_MAIN_I4
<87>Aug 21 16:53:22.206 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:22.208 2006 pluto[5458]: "host" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
<87>Aug 21 16:53:22.210 2006 pluto[5458]: | processing informational
NO_PROPOSAL_CHOSEN (14)
<84>Aug 21 16:53:22.211 2006 pluto[5458]: "host" #1: received and
ignored informational message
<87>Aug 21 16:53:22.213 2006 pluto[5458]: | complete state transition
with STF_IGNORE
<87>Aug 21 16:53:22.214 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
--
Glenn Henshaw Logical Outcome Ltd.
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Glenn Henshaw
2006-08-22 21:02:30 UTC
Permalink
Post by Andy Gay
Post by Glenn Henshaw
Having resolved some of the protocol incompatibilities, I can now
get the connection to progress past the key exchange. It stops before
bringing up the tunnel declaring "NO_PROPOSAL_CHOSEN". The Cisco end
thinks that the tunnel is up until the keep-alive expires.
What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?
The 2 ends can't agree on phase2 parameters. Everything has to match -
left/right subnets, encryption/authentication algorithms, PFS,
probably
more...
I walked through this with the Cisco tech at the other end, There
aren't any explicit failure logs pointing to a mismatch. There were
some before the encryption was matched up.

The status on the Cisco does tentatively show the link as up for a
while.

cisco#sh cryp isa sa
dst src state conn-id slot status
xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy QM_IDLE 231 0 ACTIVE
Post by Andy Gay
I don't think you're showing us enough of the cisco config. Shouldn't
there be a crypto map that references the dynamic map? That's how it
works on a PIX, maybe IOS is different.
I'm guessing you probably need an ACL in the cisco which matches your
left/rightsubnets, that needs to be referenced in the crypto map
(something like "crypto map xx match address <acl>").
This is a roadwarrior setup so the PSK is set up to match any host
like:

crypto keyring QP_Spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key shared_secret

The Cisco also allows access to 10.0.0.0/8 (but I can't find that
in the section of the config I have).
Post by Andy Gay
Debug logs from the cisco will help. And your openswan logs will be much
easier to read if you set plutodebug="none"....
I can't get these as it's a commercial provider managing someone
elses network. I can ask questions though.

... Glenn
Post by Andy Gay
Post by Glenn Henshaw
... Glenn
version 2.0
config setup
interfaces=%defaultroute
klipsdebug="none"
plutodebug="control"
nat_traversal=yes
conn host
# host specific configuration
esp=3des-sha1-1024
ike=3des-sha1-1024
pfs=no
keyexchange=ike
# basic configuration
type=tunnel
left=%defaultroute
leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.0.0/8
authby=secret
auto=start
#disable opportunistic encryption
include /etc/config/ipsec.d/examples/no_oe.conf
Cisco Config: (abbreviated)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local xxxxxxxxxxxx
!
crypto isakmp profile L2L
keyring QP_Spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set QP_Set esp-3des esp-sha-hmac
!
crypto dynamic-map xxxxxxxxxxx 40
set transform-set QP_Set
set isakmp-profile L2L
!
# ipsec auto --up host
104 "host" #3: STATE_MAIN_I1: initiate
003 "host" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-
ike-03] method set to=108
106 "host" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "host" #3: received Vendor ID payload [Cisco-Unity]
003 "host" #3: received Vendor ID payload [Dead Peer Detection]
003 "host" #3: ignoring unknown Vendor ID payload
[0c447920daaa628dce64a39fb745f11d]
003 "host" #3: received Vendor ID payload [XAUTH]
003 "host" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
ike-02/03: i am NATed
108 "host" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "host" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "host" #4: STATE_QUICK_I1: initiate
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "host" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal000 "host" #4: starting keying
attempt 2 of an unlimited number, but releasing whack
<83>Aug 21 16:53:18.406 2006 ipsec__plutorun: Starting Pluto
subsystem...
<84>Aug 21 16:53:18.597 2006 pluto[5458]: Starting Pluto (Openswan
Version 2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
<84>Aug 21 16:53:18.599 2006 pluto[5458]: Setting NAT-Traversal
port-4500 floating to on
<84>Aug 21 16:53:18.600 2006 pluto[5458]: port floating activation
criteria nat_t=1/port_fload=1
<84>Aug 21 16:53:18.602 2006 pluto[5458]: including NAT-Traversal
patch (Version 0.6c)
<87>Aug 21 16:53:18.603 2006 pluto[5458]: | opening /dev/urandom
<87>Aug 21 16:53:18.613 2006 pluto[5458]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
<87>Aug 21 16:53:18.633 2006 pluto[5458]: | inserting event
EVENT_PENDING_PHASE2, timeout in 120 seconds
Activating OAKLEY_AES_CBC: Ok (ret=0)
<84>Aug 21 16:53:18.641 2006 pluto[5458]: starting up 1 cryptographic
helpers
<87>Aug 21 16:53:18.655 2006 pluto[5461]: | opening /dev/urandom
<84>Aug 21 16:53:18.657 2006 pluto[5458]: started helper pid=5461 (fd:5)
<84>Aug 21 16:53:18.660 2006 pluto[5458]: Using KLIPS IPsec interface
code on 2.4.27-uc1
<87>Aug 21 16:53:18.664 2006 pluto[5458]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
<87>Aug 21 16:53:18.673 2006 pluto[5461]: ! helper 0 waiting on fd: 7
<84>Aug 21 16:53:18.701 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/cacerts'
<84>Aug 21 16:53:18.749 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/aacerts'
<84>Aug 21 16:53:18.751 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/ocspcerts'
<84>Aug 21 16:53:18.753 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/crls'
<84>Aug 21 16:53:18.755 2006 pluto[5458]: Warning: empty directory
<87>Aug 21 16:53:18.757 2006 pluto[5458]: | inserting event
EVENT_LOG_DAILY, timeout in 25602 seconds
<87>Aug 21 16:53:18.758 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 120 seconds
<87>Aug 21 16:53:20.571 2006 pluto[5458]: |
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | Added new connection host
with policy PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.573 2006 pluto[5458]: | from whack: got --
esp=3des-sha1
3_000-2, flags=strict
<87>Aug 21 16:53:20.574 2006 pluto[5458]: | from whack: got --
ike=3des
5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=strict
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
@xxxxxxx is 0
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
(none) is 15
<87>Aug 21 16:53:20.577 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=1
<87>Aug 21 16:53:20.583 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=2
<84>Aug 21 16:53:20.584 2006 pluto[5458]: added connection
description "host"
<87>Aug 21 16:53:20.585 2006 pluto[5458]: | 192.168.1.234
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:20.807 2006 pluto[5458]: |
<87>Aug 21 16:53:20.808 2006 pluto[5458]: | *received whack message
<84>Aug 21 16:53:20.817 2006 pluto[5458]: listening for IKE messages
<87>Aug 21 16:53:20.818 2006 pluto[5458]: | found lo with address
127.0.0.1
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found ipsec0 with address
192.168.1.234
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found eth0 with address
192.168.4.1
<87>Aug 21 16:53:20.820 2006 pluto[5458]: | found eth1 with address
192.168.1.234
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:500
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:4500
<87>Aug 21 16:53:20.822 2006 pluto[5458]: | IP interface eth0
192.168.4.1 has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | IP interface lo 127.0.0.1
has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | could not open /proc/net/
if_inet6
<84>Aug 21 16:53:20.824 2006 pluto[5458]: loading secrets from "/etc/
config/ipsec.secrets"
<87>Aug 21 16:53:20.825 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:21.058 2006 pluto[5458]: |
<87>Aug 21 16:53:21.059 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.068 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.069 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | could_route called for
host (kind=CK_PERMANENT)
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.071 2006 pluto[5458]: | eroute_connection add
eroute 192.168.1.234/32:0 --0-> 10.0.0.0/8:0 => %trap (raw_eroute)
firewall_notified: true
<87>Aug 21 16:53:21.072 2006 pluto[5458]: | command executing
prepare-
host
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.229 2006 pluto[5458]: | command executing
route-host
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.433 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.664 2006 pluto[5458]: |
<87>Aug 21 16:53:21.665 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:21.674 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:21.675 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | creating state object #1
at 0xc19c8
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.677 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.679 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.680 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
<87>Aug 21 16:53:21.685 2006 pluto[5458]: | Queuing pending Quick
Mode with 208.250.50.193 "host"
<84>Aug 21 16:53:21.686 2006 pluto[5458]: "host" #1: initiating Main
Mode
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | sending 312 bytes for
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
<87>Aug 21 16:53:21.688 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
STATE_MAIN_I1: initiate
<27>Aug 21 16:53:21.718 2006 ipsec__plutorun: ...could not start conn
"host"
<87>Aug 21 16:53:21.767 2006 pluto[5458]: |
<87>Aug 21 16:53:21.768 2006 pluto[5458]: | *received 100 bytes from
208.250.50.193:500 on eth1 (port=500)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.770 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.771 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state object not found
<87>Aug 21 16:53:21.773 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.780 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.781 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I1
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.783 2006 pluto[5458]: "host" #1: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | started looking for
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | actually looking for
<87>Aug 21 16:53:21.785 2006 pluto[5458]: | 1: compared PSK
<87>Aug 21 16:53:21.786 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:21.787 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
<84>Aug 21 16:53:21.791 2006 pluto[5458]: "host" #1: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
<87>Aug 21 16:53:21.791 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:21.792 2006 pluto[5458]: | asking helper 0 to do
build_kenonce op on seq: 1
<87>Aug 21 16:53:21.793 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | complete state transition
with STF_SUSPEND
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.796 2006 pluto[5461]: ! helper -1 doing
build_kenonce op id: 1
<87>Aug 21 16:53:21.855 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.857 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.859 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.860 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:21.862 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
<87>Aug 21 16:53:21.866 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | sending 228 bytes for
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
sent MI2, expecting MR2
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:21.870 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:21.933 2006 pluto[5458]: |
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | *received 304 bytes from
xxx.xxx.xxx.xxx:500 on eth1 (port=500)
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.935 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.936 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.938 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I2
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.940 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Cisco-Unity]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Dead Peer Detection]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: ignoring unknown
Vendor ID payload [0c447920129b6ee321fb0b4497074d62]
<84>Aug 21 16:53:21.947 2006 pluto[5458]: "host" #1: received Vendor
ID payload [XAUTH]
<87>Aug 21 16:53:21.948 2006 pluto[5458]: | thinking about whether to
OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
CERT_ALWAYSSEND and I did not get a certificate request
<87>Aug 21 16:53:21.950 2006 pluto[5458]: | so do not send cert.
<84>Aug 21 16:53:21.950 2006 pluto[5458]: "host" #1: I did not send a
certificate because I do not have one.
<87>Aug 21 16:53:21.951 2006 pluto[5458]: | I am not sending a
certificate request
<87>Aug 21 16:53:21.952 2006 pluto[5458]: | started looking for
<87>Aug 21 16:53:21.953 2006 pluto[5458]: | actually looking for
<87>Aug 21 16:53:22.002 2006 pluto[5458]: | 1: compared PSK
<87>Aug 21 16:53:22.003 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:22.004 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.007 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
<87>Aug 21 16:53:22.009 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:22.011 2006 pluto[5458]: | sending 68 bytes for
<87>Aug 21 16:53:22.012 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
sent MI3, expecting MR3
<87>Aug 21 16:53:22.015 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.017 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.018 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:22.076 2006 pluto[5458]: |
<87>Aug 21 16:53:22.078 2006 pluto[5458]: | *received 68 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.079 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:22.081 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.082 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.084 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.085 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.086 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:22.088 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I3
<87>Aug 21 16:53:22.089 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.091 2006 pluto[5458]: | protocol/port in Phase 1
ID Payload is 17/0. accepted with port_floating NAT-T
<84>Aug 21 16:53:22.092 2006 pluto[5458]: "host" #1: Main mode peer
ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
<87>Aug 21 16:53:22.094 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.095 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
<87>Aug 21 16:53:22.097 2006 pluto[5458]: | inserting event
EVENT_SA_REPLACE, timeout in 2601 seconds for #1
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
<87>Aug 21 16:53:22.100 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.101 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.103 2006 pluto[5458]: | unqueuing pending Quick
Mode with 208.250.50.193 "host"
<87>Aug 21 16:53:22.104 2006 pluto[5458]: | duplicating state
object #1
<87>Aug 21 16:53:22.106 2006 pluto[5458]: | creating state object #2
at 0xc3698
<87>Aug 21 16:53:22.107 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.109 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.111 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.112 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.114 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.115 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
<84>Aug 21 16:53:22.117 2006 pluto[5458]: "host" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
<87>Aug 21 16:53:22.118 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:22.120 2006 pluto[5458]: | asking helper 0 to do
build_nonce op on seq: 2
<87>Aug 21 16:53:22.121 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
<87>Aug 21 16:53:22.123 2006 pluto[5458]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
<87>Aug 21 16:53:22.124 2006 pluto[5461]: ! helper -1 doing
build_nonce op id: 2
<87>Aug 21 16:53:22.129 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.131 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:22.132 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:22.134 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:22.136 2006 pluto[5458]: | generate SPI: e4 1c fe 60
<87>Aug 21 16:53:22.138 2006 pluto[5458]: | sending 148 bytes for
<87>Aug 21 16:53:22.140 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
<87>Aug 21 16:53:22.141 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
<87>Aug 21 16:53:22.192 2006 pluto[5458]: |
<87>Aug 21 16:53:22.194 2006 pluto[5458]: | *received 124 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.195 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_INFO (5)
<87>Aug 21 16:53:22.196 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.198 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.199 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.201 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.202 2006 pluto[5458]: | peer and cookies match on
#2, provided msgid 00000000 vs 810d28c6/00000000
<87>Aug 21 16:53:22.204 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000/00000000
<87>Aug 21 16:53:22.205 2006 pluto[5458]: | p15 state object #1
found, in STATE_MAIN_I4
<87>Aug 21 16:53:22.206 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:22.208 2006 pluto[5458]: "host" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
<87>Aug 21 16:53:22.210 2006 pluto[5458]: | processing informational
NO_PROPOSAL_CHOSEN (14)
<84>Aug 21 16:53:22.211 2006 pluto[5458]: "host" #1: received and
ignored informational message
<87>Aug 21 16:53:22.213 2006 pluto[5458]: | complete state transition
with STF_IGNORE
<87>Aug 21 16:53:22.214 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
--
Glenn Henshaw Logical Outcome Ltd.
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?
n=283155
--
Glenn Henshaw Logical Outcome Ltd.
t: (613) 853-6702 e: ***@logicaloutcome.ca
f: (613) 839-2286 w: www.logicaloutcome.ca
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete
the original. Any other use of the email by you is prohibited.
Andy Gay
2006-08-22 22:52:10 UTC
Permalink
Post by Glenn Henshaw
Post by Andy Gay
Post by Glenn Henshaw
Having resolved some of the protocol incompatibilities, I can now
get the connection to progress past the key exchange. It stops before
bringing up the tunnel declaring "NO_PROPOSAL_CHOSEN". The Cisco end
thinks that the tunnel is up until the keep-alive expires.
What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?
The 2 ends can't agree on phase2 parameters. Everything has to match -
left/right subnets, encryption/authentication algorithms, PFS, probably
more...
I walked through this with the Cisco tech at the other end, There
aren't any explicit failure logs pointing to a mismatch. There were
some before the encryption was matched up.
The status on the Cisco does tentatively show the link as up for a
while.
cisco#sh cryp isa sa
dst src state conn-id slot status
xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy QM_IDLE 231 0 ACTIVE
That's the phase 1 SA. We know that's OK, you get ISAKMP SA established
in your logs.

You won't get any output from a 'show crypto ipsec sa', though.
Post by Glenn Henshaw
Post by Andy Gay
I don't think you're showing us enough of the cisco config. Shouldn't
there be a crypto map that references the dynamic map? That's how it
works on a PIX, maybe IOS is different.
I'm guessing you probably need an ACL in the cisco which matches your
left/rightsubnets, that needs to be referenced in the crypto map
(something like "crypto map xx match address <acl>").
This is a roadwarrior setup so the PSK is set up to match any host
crypto keyring QP_Spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key shared_secret
That's phase 1 stuff again. We know that's OK.

Again, you need a crypto map that references the dynamic map. Those maps
are combined to determine the phase 2 parameters, which have to match
your config. I know how to do that for a PIX, John Serink sent you a
sample IOS config that shows much the same stuff - note the entry:

crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap

But his config seems to be missing a 'match address' entry in the
dynamic map, which is where the left/right subnets would be determined
if it was a PIX. John - how does your config cover that?
Post by Glenn Henshaw
The Cisco also allows access to 10.0.0.0/8 (but I can't find that
in the section of the config I have).
Post by Andy Gay
Debug logs from the cisco will help. And your openswan logs will be much
easier to read if you set plutodebug="none"....
I can't get these as it's a commercial provider managing someone
elses network. I can ask questions though.
... Glenn
Post by Andy Gay
Post by Glenn Henshaw
... Glenn
version 2.0
config setup
interfaces=%defaultroute
klipsdebug="none"
plutodebug="control"
nat_traversal=yes
conn host
# host specific configuration
esp=3des-sha1-1024
ike=3des-sha1-1024
pfs=no
keyexchange=ike
# basic configuration
type=tunnel
left=%defaultroute
leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.0.0/8
authby=secret
auto=start
#disable opportunistic encryption
include /etc/config/ipsec.d/examples/no_oe.conf
Cisco Config: (abbreviated)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local xxxxxxxxxxxx
!
crypto isakmp profile L2L
keyring QP_Spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set QP_Set esp-3des esp-sha-hmac
!
crypto dynamic-map xxxxxxxxxxx 40
set transform-set QP_Set
set isakmp-profile L2L
!
# ipsec auto --up host
104 "host" #3: STATE_MAIN_I1: initiate
003 "host" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-
ike-03] method set to=108
106 "host" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "host" #3: received Vendor ID payload [Cisco-Unity]
003 "host" #3: received Vendor ID payload [Dead Peer Detection]
003 "host" #3: ignoring unknown Vendor ID payload
[0c447920daaa628dce64a39fb745f11d]
003 "host" #3: received Vendor ID payload [XAUTH]
003 "host" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
ike-02/03: i am NATed
108 "host" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "host" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "host" #4: STATE_QUICK_I1: initiate
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "host" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal000 "host" #4: starting keying
attempt 2 of an unlimited number, but releasing whack
<83>Aug 21 16:53:18.406 2006 ipsec__plutorun: Starting Pluto
subsystem...
<84>Aug 21 16:53:18.597 2006 pluto[5458]: Starting Pluto (Openswan
Version 2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
<84>Aug 21 16:53:18.599 2006 pluto[5458]: Setting NAT-Traversal
port-4500 floating to on
<84>Aug 21 16:53:18.600 2006 pluto[5458]: port floating activation
criteria nat_t=1/port_fload=1
<84>Aug 21 16:53:18.602 2006 pluto[5458]: including NAT-Traversal
patch (Version 0.6c)
<87>Aug 21 16:53:18.603 2006 pluto[5458]: | opening /dev/urandom
<87>Aug 21 16:53:18.613 2006 pluto[5458]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
<87>Aug 21 16:53:18.633 2006 pluto[5458]: | inserting event
EVENT_PENDING_PHASE2, timeout in 120 seconds
Activating OAKLEY_AES_CBC: Ok (ret=0)
<84>Aug 21 16:53:18.641 2006 pluto[5458]: starting up 1 cryptographic
helpers
<87>Aug 21 16:53:18.655 2006 pluto[5461]: | opening /dev/urandom
<84>Aug 21 16:53:18.657 2006 pluto[5458]: started helper pid=5461 (fd:5)
<84>Aug 21 16:53:18.660 2006 pluto[5458]: Using KLIPS IPsec interface
code on 2.4.27-uc1
<87>Aug 21 16:53:18.664 2006 pluto[5458]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
<87>Aug 21 16:53:18.673 2006 pluto[5461]: ! helper 0 waiting on fd: 7
<84>Aug 21 16:53:18.701 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/cacerts'
<84>Aug 21 16:53:18.749 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/aacerts'
<84>Aug 21 16:53:18.751 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/ocspcerts'
<84>Aug 21 16:53:18.753 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/crls'
<84>Aug 21 16:53:18.755 2006 pluto[5458]: Warning: empty directory
<87>Aug 21 16:53:18.757 2006 pluto[5458]: | inserting event
EVENT_LOG_DAILY, timeout in 25602 seconds
<87>Aug 21 16:53:18.758 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 120 seconds
<87>Aug 21 16:53:20.571 2006 pluto[5458]: |
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:20.572 2006 pluto[5458]: | Added new connection host
with policy PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.573 2006 pluto[5458]: | from whack: got --
esp=3des-sha1
3_000-2, flags=strict
<87>Aug 21 16:53:20.574 2006 pluto[5458]: | from whack: got --
ike=3des
5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=strict
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
@xxxxxxx is 0
<87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
(none) is 15
<87>Aug 21 16:53:20.577 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=1
<87>Aug 21 16:53:20.583 2006 pluto[5458]: | alg_info_addref()
alg_info->ref_cnt=2
<84>Aug 21 16:53:20.584 2006 pluto[5458]: added connection
description "host"
<87>Aug 21 16:53:20.585 2006 pluto[5458]: | 192.168.1.234
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
<87>Aug 21 16:53:20.586 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:20.807 2006 pluto[5458]: |
<87>Aug 21 16:53:20.808 2006 pluto[5458]: | *received whack message
<84>Aug 21 16:53:20.817 2006 pluto[5458]: listening for IKE messages
<87>Aug 21 16:53:20.818 2006 pluto[5458]: | found lo with address
127.0.0.1
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found ipsec0 with address
192.168.1.234
<87>Aug 21 16:53:20.819 2006 pluto[5458]: | found eth0 with address
192.168.4.1
<87>Aug 21 16:53:20.820 2006 pluto[5458]: | found eth1 with address
192.168.1.234
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:500
<84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
eth1 192.168.1.234:4500
<87>Aug 21 16:53:20.822 2006 pluto[5458]: | IP interface eth0
192.168.4.1 has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | IP interface lo 127.0.0.1
has no matching ipsec* interface -- ignored
<87>Aug 21 16:53:20.823 2006 pluto[5458]: | could not open /proc/net/
if_inet6
<84>Aug 21 16:53:20.824 2006 pluto[5458]: loading secrets from "/etc/
config/ipsec.secrets"
<87>Aug 21 16:53:20.825 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 118 seconds
<87>Aug 21 16:53:21.058 2006 pluto[5458]: |
<87>Aug 21 16:53:21.059 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.068 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.069 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | could_route called for
host (kind=CK_PERMANENT)
<87>Aug 21 16:53:21.070 2006 pluto[5458]: | route owner of "host"
unrouted: NULL; eroute owner: NULL
<87>Aug 21 16:53:21.071 2006 pluto[5458]: | eroute_connection add
eroute 192.168.1.234/32:0 --0-> 10.0.0.0/8:0 => %trap (raw_eroute)
firewall_notified: true
<87>Aug 21 16:53:21.072 2006 pluto[5458]: | command executing prepare-
host
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.229 2006 pluto[5458]: | command executing route-host
2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='route-host'
PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
PLUTO_MY_CLIENT_NET='192.168.1.234'
PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0'
PLUTO_MY_PROTOCOL='0' PLUTO_PEER='xxx.xxx.xxx.xxx'
PLUTO_PEER_ID='xxx.xxx.xxx.xxx' PLUTO_PEER_CLIENT='10.0.0.0/8'
PLUTO_PEER_CLIENT_NET='10.0.0.0' PLUTO_PEER_CLIENT_MASK='255.0.0.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL' ipsec _updown
<87>Aug 21 16:53:21.433 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.664 2006 pluto[5458]: |
<87>Aug 21 16:53:21.665 2006 pluto[5458]: | *received whack message
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.673 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:21.674 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:21.675 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | creating state object #1
at 0xc19c8
<87>Aug 21 16:53:21.676 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.677 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.678 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.679 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.680 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #1
<87>Aug 21 16:53:21.685 2006 pluto[5458]: | Queuing pending Quick
Mode with 208.250.50.193 "host"
<84>Aug 21 16:53:21.686 2006 pluto[5458]: "host" #1: initiating Main
Mode
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | sending 312 bytes for
<87>Aug 21 16:53:21.687 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
<87>Aug 21 16:53:21.688 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
STATE_MAIN_I1: initiate
<27>Aug 21 16:53:21.718 2006 ipsec__plutorun: ...could not start conn
"host"
<87>Aug 21 16:53:21.767 2006 pluto[5458]: |
<87>Aug 21 16:53:21.768 2006 pluto[5458]: | *received 100 bytes from
208.250.50.193:500 on eth1 (port=500)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.769 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.770 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.771 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.772 2006 pluto[5458]: | state object not found
<87>Aug 21 16:53:21.773 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.774 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.780 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.781 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I1
<87>Aug 21 16:53:21.782 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.783 2006 pluto[5458]: "host" #1: received Vendor
ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | started looking for
<87>Aug 21 16:53:21.784 2006 pluto[5458]: | actually looking for
<87>Aug 21 16:53:21.785 2006 pluto[5458]: | 1: compared PSK
<87>Aug 21 16:53:21.786 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:21.787 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
<84>Aug 21 16:53:21.791 2006 pluto[5458]: "host" #1: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
<87>Aug 21 16:53:21.791 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:21.792 2006 pluto[5458]: | asking helper 0 to do
build_kenonce op on seq: 1
<87>Aug 21 16:53:21.793 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | complete state transition
with STF_SUSPEND
<87>Aug 21 16:53:21.794 2006 pluto[5458]: | next event
EVENT_SHUNT_SCAN in 117 seconds
<87>Aug 21 16:53:21.796 2006 pluto[5461]: ! helper -1 doing
build_kenonce op id: 1
<87>Aug 21 16:53:21.855 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.856 2006 pluto[5458]: | RCOOKIE: 00 00 00 00 00
00 00 00
<87>Aug 21 16:53:21.857 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | state hash entry 17
<87>Aug 21 16:53:21.858 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.859 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.860 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.861 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:21.862 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
<87>Aug 21 16:53:21.866 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | sending 228 bytes for
<87>Aug 21 16:53:21.867 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
sent MI2, expecting MR2
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:21.869 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:21.870 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:21.933 2006 pluto[5458]: |
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | *received 304 bytes from
xxx.xxx.xxx.xxx:500 on eth1 (port=500)
<87>Aug 21 16:53:21.934 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:21.935 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:21.936 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:21.937 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:21.938 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I2
<87>Aug 21 16:53:21.939 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:21.940 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Cisco-Unity]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: received Vendor
ID payload [Dead Peer Detection]
<84>Aug 21 16:53:21.946 2006 pluto[5458]: "host" #1: ignoring unknown
Vendor ID payload [0c447920129b6ee321fb0b4497074d62]
<84>Aug 21 16:53:21.947 2006 pluto[5458]: "host" #1: received Vendor
ID payload [XAUTH]
<87>Aug 21 16:53:21.948 2006 pluto[5458]: | thinking about whether to
OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
CERT_ALWAYSSEND and I did not get a certificate request
<87>Aug 21 16:53:21.950 2006 pluto[5458]: | so do not send cert.
<84>Aug 21 16:53:21.950 2006 pluto[5458]: "host" #1: I did not send a
certificate because I do not have one.
<87>Aug 21 16:53:21.951 2006 pluto[5458]: | I am not sending a
certificate request
<87>Aug 21 16:53:21.952 2006 pluto[5458]: | started looking for
<87>Aug 21 16:53:21.953 2006 pluto[5458]: | actually looking for
<87>Aug 21 16:53:22.002 2006 pluto[5458]: | 1: compared PSK
<87>Aug 21 16:53:22.003 2006 pluto[5458]: | best_match 0>6
best=0xc16b0 (line=1)
<87>Aug 21 16:53:22.004 2006 pluto[5458]: | concluding with
best_match=6 best=0xc16b0 (lineno=1)
Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
<87>Aug 21 16:53:22.006 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.007 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
<87>Aug 21 16:53:22.009 2006 pluto[5458]: | sending reply packet to
xxx.xxx.xxx.xxx:500 (from port=500)
<87>Aug 21 16:53:22.011 2006 pluto[5458]: | sending 68 bytes for
<87>Aug 21 16:53:22.012 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #1
sent MI3, expecting MR3
<87>Aug 21 16:53:22.015 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.017 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.018 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #1
<87>Aug 21 16:53:22.076 2006 pluto[5458]: |
<87>Aug 21 16:53:22.078 2006 pluto[5458]: | *received 68 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.079 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_IDPROT (2)
<87>Aug 21 16:53:22.081 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.082 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.084 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.085 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.086 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000
<87>Aug 21 16:53:22.088 2006 pluto[5458]: | state object #1 found, in
STATE_MAIN_I3
<87>Aug 21 16:53:22.089 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.091 2006 pluto[5458]: | protocol/port in Phase 1
ID Payload is 17/0. accepted with port_floating NAT-T
<84>Aug 21 16:53:22.092 2006 pluto[5458]: "host" #1: Main mode peer
ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
<87>Aug 21 16:53:22.094 2006 pluto[5458]: | complete state transition
with STF_OK
<84>Aug 21 16:53:22.095 2006 pluto[5458]: "host" #1: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
<87>Aug 21 16:53:22.097 2006 pluto[5458]: | inserting event
EVENT_SA_REPLACE, timeout in 2601 seconds for #1
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
<87>Aug 21 16:53:22.100 2006 pluto[5458]: | modecfg pull: noquirk
policy:push not-client
<87>Aug 21 16:53:22.101 2006 pluto[5458]: | phase 1 is done, looking
for phase 1 to unpend
<87>Aug 21 16:53:22.103 2006 pluto[5458]: | unqueuing pending Quick
Mode with 208.250.50.193 "host"
<87>Aug 21 16:53:22.104 2006 pluto[5458]: | duplicating state object #1
<87>Aug 21 16:53:22.106 2006 pluto[5458]: | creating state object #2
at 0xc3698
<87>Aug 21 16:53:22.107 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.109 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.111 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.112 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.114 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.115 2006 pluto[5458]: | inserting event
EVENT_SO_DISCARD, timeout in 0 seconds for #2
<84>Aug 21 16:53:22.117 2006 pluto[5458]: "host" #2: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
<87>Aug 21 16:53:22.118 2006 pluto[5458]: | 0: w->pcw_dead: 0 w-
pcw_work: 0 cnt: 1
<87>Aug 21 16:53:22.120 2006 pluto[5458]: | asking helper 0 to do
build_nonce op on seq: 2
<87>Aug 21 16:53:22.121 2006 pluto[5458]: | inserting event
EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
<87>Aug 21 16:53:22.123 2006 pluto[5458]: | next event
EVENT_NAT_T_KEEPALIVE in 20 seconds
<87>Aug 21 16:53:22.124 2006 pluto[5461]: ! helper -1 doing
build_nonce op id: 2
<87>Aug 21 16:53:22.129 2006 pluto[5458]: | processing connection host
<87>Aug 21 16:53:22.131 2006 pluto[5458]: | kernel_alg_db_new() will
return p_new->protoid=3, p_new->trans_cnt=1
<87>Aug 21 16:53:22.132 2006 pluto[5458]: | kernel_alg_db_new() trans
[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
<87>Aug 21 16:53:22.134 2006 pluto[5458]: | returning new proposal
from esp_info
<87>Aug 21 16:53:22.136 2006 pluto[5458]: | generate SPI: e4 1c fe 60
<87>Aug 21 16:53:22.138 2006 pluto[5458]: | sending 148 bytes for
<87>Aug 21 16:53:22.140 2006 pluto[5458]: | inserting event
EVENT_RETRANSMIT, timeout in 10 seconds for #2
<87>Aug 21 16:53:22.141 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
<87>Aug 21 16:53:22.192 2006 pluto[5458]: |
<87>Aug 21 16:53:22.194 2006 pluto[5458]: | *received 124 bytes from
xxx.xxx.xxx.xxx:4500 on eth1 (port=4500)
<87>Aug 21 16:53:22.195 2006 pluto[5458]: | processing packet with
exchange type=ISAKMP_XCHG_INFO (5)
<87>Aug 21 16:53:22.196 2006 pluto[5458]: | ICOOKIE: ea 05 fa e0 30
4b 19 01
<87>Aug 21 16:53:22.198 2006 pluto[5458]: | RCOOKIE: f9 83 de 3d 12
9a 6e e3
<87>Aug 21 16:53:22.199 2006 pluto[5458]: | peer: d0 fa 32 c1
<87>Aug 21 16:53:22.201 2006 pluto[5458]: | state hash entry 31
<87>Aug 21 16:53:22.202 2006 pluto[5458]: | peer and cookies match on
#2, provided msgid 00000000 vs 810d28c6/00000000
<87>Aug 21 16:53:22.204 2006 pluto[5458]: | peer and cookies match on
#1, provided msgid 00000000 vs 00000000/00000000
<87>Aug 21 16:53:22.205 2006 pluto[5458]: | p15 state object #1
found, in STATE_MAIN_I4
<87>Aug 21 16:53:22.206 2006 pluto[5458]: | processing connection host
<84>Aug 21 16:53:22.208 2006 pluto[5458]: "host" #1: ignoring
informational payload, type NO_PROPOSAL_CHOSEN
<87>Aug 21 16:53:22.210 2006 pluto[5458]: | processing informational
NO_PROPOSAL_CHOSEN (14)
<84>Aug 21 16:53:22.211 2006 pluto[5458]: "host" #1: received and
ignored informational message
<87>Aug 21 16:53:22.213 2006 pluto[5458]: | complete state transition
with STF_IGNORE
<87>Aug 21 16:53:22.214 2006 pluto[5458]: | next event
EVENT_RETRANSMIT in 10 seconds for #2
--
Glenn Henshaw Logical Outcome Ltd.
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?
n=283155
--
Glenn Henshaw Logical Outcome Ltd.
f: (613) 839-2286 w: www.logicaloutcome.ca
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete
the original. Any other use of the email by you is prohibited.
Christian Brechbühler
2006-11-14 16:54:30 UTC
Permalink
Post by Andy Gay
Post by Glenn Henshaw
What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?
The 2 ends can't agree on phase2 parameters. Everything has to match -
left/right subnets, encryption/authentication algorithms, PFS, probably
more...
Similar problem here: trying to connect to a Cisco (no idea what model), we
get to this:
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN

The owner of the Cisco thing tell us that cisco doesn't like quick mode, and
that we have to disable quick mode in openswan.

Does this sound right? And if yes, how would I do it?

Thank you!
/Christian
Paul Wouters
2006-11-14 17:13:52 UTC
Permalink
Post by Christian Brechbühler
Similar problem here: trying to connect to a Cisco (no idea what model), we
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
The owner of the Cisco thing tell us that cisco doesn't like quick mode, and
that we have to disable quick mode in openswan.
Does this sound right? And if yes, how would I do it?
No, that sounds like someone does not know what they are talking about.
Ask the cisco person for the following:

Mode (main or aggressive)
PFS (yes or no)
Phase 1 (3des/aes md5/sh1)
Phase 2 (3des/aes md5/sh1)
modp (aka DiffieHellman) group
src/dst (aka left/right) type and value of ID's (IP, string, X.509 DN)
subnets for srd/st (aka left/right)

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Andy Gay
2006-11-14 17:17:14 UTC
Permalink
Post by Glenn Henshaw
Post by Glenn Henshaw
What can cause the "NO_PROPOSAL_CHOSEN" message from the
Cisco?
The 2 ends can't agree on phase2 parameters. Everything has to match -
left/right subnets, encryption/authentication algorithms, PFS, probably
more...
Similar problem here: trying to connect to a Cisco (no idea what
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode PSK+ENCRYPT
+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
The owner of the Cisco thing tell us that cisco doesn't like quick
mode, and that we have to disable quick mode in openswan.
Huh?
Post by Glenn Henshaw
Does this sound right?
No. Quick mode is also called phase 2, it's where the IPsec SA gets set
up.

As with the previous poster, you evidently have a mismatch with your
phase 2 parameters. Check that everything matches.
Post by Glenn Henshaw
And if yes, how would I do it?
Thank you!
/Christian
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
John Serink
2006-08-23 17:39:09 UTC
Permalink
Post by Andy Gay
Post by Glenn Henshaw
Post by Andy Gay
Post by Glenn Henshaw
Having resolved some of the protocol incompatibilities, I can now
get the connection to progress past the key exchange. It stops before
bringing up the tunnel declaring "NO_PROPOSAL_CHOSEN". The Cisco end
thinks that the tunnel is up until the keep-alive expires.
What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?
The 2 ends can't agree on phase2 parameters. Everything has to match -
left/right subnets, encryption/authentication algorithms, PFS,
probably
more...
I walked through this with the Cisco tech at the other end, There
aren't any explicit failure logs pointing to a mismatch. There were
some before the encryption was matched up.
The status on the Cisco does tentatively show the link as up for a
while.
cisco#sh cryp isa sa
dst src state conn-id slot status
xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy QM_IDLE 231 0 ACTIVE
That's the phase 1 SA. We know that's OK, you get ISAKMP SA established
in your logs.
You won't get any output from a 'show crypto ipsec sa', though.
Post by Glenn Henshaw
Post by Andy Gay
I don't think you're showing us enough of the cisco config. Shouldn't
there be a crypto map that references the dynamic map? That's how it
works on a PIX, maybe IOS is different.
I'm guessing you probably need an ACL in the cisco which matches your
left/rightsubnets, that needs to be referenced in the crypto map
(something like "crypto map xx match address <acl>").
This is a roadwarrior setup so the PSK is set up to match any host
crypto keyring QP_Spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key shared_secret
That's phase 1 stuff again. We know that's OK.
Again, you need a crypto map that references the dynamic map. Those maps
are combined to determine the phase 2 parameters, which have to match
your config. I know how to do that for a PIX, John Serink sent you a
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
But his config seems to be missing a 'match address' entry in the
dynamic map, which is where the left/right subnets would be determined
if it was a PIX. John - how does your config cover that?
Ok, now follow me here because I'm not entirely sure WHY this worked...
When using a single road warrier connection, I had the 'match address' ACL in
there but I couldn't figure out how to do that with multiple road warriers,
each one with its own subnet behind it....so I just dumped the 'match address'
entry and much to my amazement, it all just worked WITHOUT the 'match address'
command. The Cisco got all the correct subnet info and encrypted all the
correct packets perfectly! Why? Not sure, according to all of the Cisco
examples I have, this should not have worked, but having said that, Cisco
documentation always assumes Cisco to Cisco connections. My Guess as to why
this worked is that Openswan provides the subnet information to Cisco and this
is what made it go. It was essential however to have the ACL to tell the Cisco
which addresses not to NAT out the default route. And you absolutely MUST sort
out all the of the masq issues at the other side.

Trouble shooting this is a matter of doing this:
1. Cisco side debug cypto isakmp and on the Linux side tail -f
/var/log/auth.log and make sure the tunnels come up in both directions,
2. Once you have 1, turn off the crypto debug on the cisco and debug ip icmp
and on the Linux side tcpdump -i "your internetfacing interface" and do a tail
-f /var/log/syslog. WHat you're are looking for here is what is happening when
you ping from the linux box to the cisco. You "should" see the ping leave the
linux box as an ESP packet, arrive at the cisco and see the response from the
debug ip icmp. Now, you should see the ESP packet come back to the linux box on
the tcpdump output. If you get this far, your Cisco config is mostly fine, the
problem is on the Linux side. Your pings aren't getting through you likely have
one or a combination of the following 2 issues:
A. Your Cisco is NATing the outgoing ESP,
B. Your firewall rules on the Linux box are dropping the ESP packets or the
decrypted ICMP.
Once you've got that all sorted, you should be up and away.

Since you're using the KLIPS stack, you can also do a tcpdump -i ipsecX to
check what gets through.
Post by Andy Gay
Post by Glenn Henshaw
The Cisco also allows access to 10.0.0.0/8 (but I can't find that
in the section of the config I have).
Post by Andy Gay
Debug logs from the cisco will help. And your openswan logs will be
much
easier to read if you set plutodebug="none"....
I can't get these as it's a commercial provider managing someone
elses network. I can ask questions though.
... Glenn
Post by Andy Gay
Post by Glenn Henshaw
... Glenn
version 2.0
config setup
interfaces=%defaultroute
klipsdebug="none"
plutodebug="control"
nat_traversal=yes
conn host
# host specific configuration
esp=3des-sha1-1024
ike=3des-sha1-1024
pfs=no
keyexchange=ike
# basic configuration
type=tunnel
left=%defaultroute
leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.0.0/8
authby=secret
auto=start
#disable opportunistic encryption
include /etc/config/ipsec.d/examples/no_oe.conf
Cisco Config: (abbreviated)
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local xxxxxxxxxxxx
!
crypto isakmp profile L2L
keyring QP_Spokes
match identity address 0.0.0.0
!
crypto ipsec transform-set QP_Set esp-3des esp-sha-hmac
!
crypto dynamic-map xxxxxxxxxxx 40
set transform-set QP_Set
set isakmp-profile L2L
!
# ipsec auto --up host
104 "host" #3: STATE_MAIN_I1: initiate
003 "host" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-
ike-03] method set to=108
106 "host" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "host" #3: received Vendor ID payload [Cisco-Unity]
003 "host" #3: received Vendor ID payload [Dead Peer Detection]
003 "host" #3: ignoring unknown Vendor ID payload
[0c447920daaa628dce64a39fb745f11d]
003 "host" #3: received Vendor ID payload [XAUTH]
003 "host" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
ike-02/03: i am NATed
108 "host" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "host" #3: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "host" #4: STATE_QUICK_I1: initiate
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "host" #4: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "host" #4: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal000 "host" #4: starting keying
attempt 2 of an unlimited number, but releasing whack
<83>Aug 21 16:53:18.406 2006 ipsec__plutorun: Starting Pluto
subsystem...
<84>Aug 21 16:53:18.597 2006 pluto[5458]: Starting Pluto (Openswan
Version 2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
<84>Aug 21 16:53:18.599 2006 pluto[5458]: Setting NAT-Traversal
port-4500 floating to on
<84>Aug 21 16:53:18.600 2006 pluto[5458]: port floating activation
criteria nat_t=1/port_fload=1
<84>Aug 21 16:53:18.602 2006 pluto[5458]: including NAT-Traversal
patch (Version 0.6c)
<87>Aug 21 16:53:18.603 2006 pluto[5458]: | opening /dev/urandom
<87>Aug 21 16:53:18.613 2006 pluto[5458]: | inserting event
EVENT_REINIT_SECRET, timeout in 3600 seconds
<87>Aug 21 16:53:18.633 2006 pluto[5458]: | inserting event
EVENT_PENDING_PHASE2, timeout in 120 seconds
Activating OAKLEY_AES_CBC: Ok (ret=0)
<84>Aug 21 16:53:18.641 2006 pluto[5458]: starting up 1 cryptographic
helpers
<87>Aug 21 16:53:18.655 2006 pluto[5461]: | opening /dev/urandom
<84>Aug 21 16:53:18.657 2006 pluto[5458]: started helper pid=5461
(fd:5)
<84>Aug 21 16:53:18.660 2006 pluto[5458]: Using KLIPS IPsec interface
code on 2.4.27-uc1
<87>Aug 21 16:53:18.664 2006 pluto[5458]: | inserting event
EVENT_SHUNT_SCAN, timeout in 120 seconds
<87>Aug 21 16:53:18.673 2006 pluto[5461]: ! helper 0 waiting on fd: 7
<84>Aug 21 16:53:18.701 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/cacerts'
<84>Aug 21 16:53:18.749 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/aacerts'
<84>Aug 21 16:53:18.751 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/ocspcerts'
<84>Aug 21 16:53:18.753 2006 pluto[5458]: Changing to directory '/
etc/
config/ipsec.d/crls'
<84>Aug 21 16:53:18.755 2006 pluto[5458]: Warning: empty directory
<87>Aug 21 16:53:18.757 2006 pluto[5458]: | inserting event
=== message truncated ===


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Peter McGill
2006-11-14 17:36:05 UTC
Permalink
Post by Christian Brechbühler
Similar problem here: trying to connect to a Cisco (no idea what model), we
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
The owner of the Cisco thing tell us that cisco doesn't like quick mode, and
that we have to disable quick mode in openswan.
I believe your Cisco owner is mistaken, as far as I know, all IPSec uses
Quick Mode, although Cisco might not refer to it by that name.
You obviously have your authentication (phase 1/main mode) configuration
alright, now you need to match your encryption/tunnel/ipsec/phase 2/quick mode,
configurations.
if you have an ike= line in your openswan conf, try adding a similar esp= line.
For example,
if ike=3des-sha1-modp1024
set esp=3des-sha1
The real problem is the "NO_PROPOSAL_CHOSEN" which means your
not aggreeing on what encryption method to use.
What does your ISAKMP SA established log line say?
Use the same encryption method in your esp line.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
Christian Brechbühler
2006-11-14 18:53:49 UTC
Permalink
I really appreciate all your help.
Post by Christian Brechbühler
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Post by Christian Brechbühler
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
Post by Christian Brechbühler
The owner of the Cisco thing tell us that cisco doesn't like quick mode, and
that we have to disable quick mode in openswan.
Does this sound right? And if yes, how would I do it?
Mode (main or aggressive)
PFS (yes or no)
Phase 1 (3des/aes md5/sh1)
Phase 2 (3des/aes md5/sh1)
modp (aka DiffieHellman) group
src/dst (aka left/right) type and value of ID's (IP, string, X.509 DN)
subnets for srd/st (aka left/right)
Re Mode: We're using main mode, and get through all 4 states, up to
Post by Christian Brechbühler
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
And then to I1.
I'd assume the main mode is right -- could it still be "aggressive" instead?

Still trying to get the other params...
Post by Christian Brechbühler
Post by Christian Brechbühler
Does this sound right?
No. Quick mode is also called phase 2, it's where the IPsec SA gets set
up.
That's what I suspected.

As with the previous poster, you evidently have a mismatch with your
Post by Christian Brechbühler
phase 2 parameters. Check that everything matches.
OK.
Post by Christian Brechbühler
You obviously have your authentication (phase 1/main mode) configuration
alright, now you need to match your encryption/tunnel/ipsec/phase 2/quick mode,
configurations.
if you have an ike= line in your openswan conf, try adding a similar esp= line.
For example,
if ike=3des-sha1-modp1024
set esp=3des-sha1
The real problem is the "NO_PROPOSAL_CHOSEN" which means your
not aggreeing on what encryption method to use.
What does your ISAKMP SA established log line say?
Peter McGill
2006-11-14 19:16:13 UTC
Permalink
Post by Paul Wouters
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
The owner of the Cisco thing tell us that cisco doesn't like quick mode, and
that we have to disable quick mode in openswan.
Does this sound right? And if yes, how would I do it?
Mode (main or aggressive)
PFS (yes or no)
Phase 1 (3des/aes md5/sh1)
Phase 2 (3des/aes md5/sh1)
modp (aka DiffieHellman) group
src/dst (aka left/right) type and value of ID's (IP, string, X.509 DN)
subnets for srd/st (aka left/right)
Re Mode: We're using main mode, and get through all 4 states, up to
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
And then to I1.
I'd assume the main mode is right -- could it still be "aggressive" instead?
Main mode connects so it is probably correct, I'd stay away from aggressive mode.
Post by Paul Wouters
Still trying to get the other params...
What does your ISAKMP SA established log line say?
Use the same encryption method in your esp line.
Christian Brechbühler
2006-11-15 15:26:45 UTC
Permalink
Post by Peter McGill
Main mode connects so it is probably correct, I'd stay away from aggressive mode.
OK.
Post by Peter McGill
There's no ike line (I don't think openswan 2.4.4 supports it). I tried
adding esp=3des-sha1, but with no luck (still stalls at
STATE_QUICK_I1). What should it be?
It supports it, but it's usually unnecessary, without it openswan just
accepts/trys anything.
Sometimes though other vendors only listen to the first suggestion so the
ike and esp settings become important.
ike=3des-sha1-modp1024
You'd expect phase 2 to use the same like this
esp=3des-sha1
But that obviosly isn't working if you tried it, so the cisco must have
different options for the different phases'
that's highly irregular, his/her setup might be incorrect or they might
not know what their doing.
Either way, you still need to aggree on a phase 2 connect method as
suggested by Paul and Andy as well.
That esp seems right after all. To summarize what I wrote to Frank Mayer,

They instructed us to set it up as follows,
left=Our_public_IP
leftsubnet=192.168.232.0/24
leftnexthop=%defaultroute
right=Their_public_IP <http://38.112.15.162>
rightsubnet=10.14.8.0/29
rightnexthop=%defaultroute

On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec SA
established. So Openswan seems happy, although no packets go through. I
suspect now it's a routing/firewalling issue.

I'm particulary confused about the meaning and use of the nexthop
parameters.

/Christian
Paul Wouters
2006-11-15 16:39:42 UTC
Permalink
Post by Christian Brechbühler
That esp seems right after all. To summarize what I wrote to Frank Mayer,
They instructed us to set it up as follows,
left=Our_public_IP
leftsubnet=192.168.232.0/24
leftnexthop=%defaultroute
right=Their_public_IP <http://38.112.15.162>
rightsubnet=10.14.8.0/29
rightnexthop=%defaultroute
On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec SA
established. So Openswan seems happy, although no packets go through. I
suspect now it's a routing/firewalling issue.
Or a policy mismatch on the cisco end where they now drop the packets.

Paul
Peter McGill
2006-11-15 17:29:50 UTC
Permalink
On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec SA established. So Openswan seems happy, although
no packets go through. I suspect now it's a routing/firewalling issue.
With leftsubnet 192.168.232.10/32, only that ip address on your end will be able to use the vpn tunnel.
If you want your whole subnet to be able to use it, you must change leftsubnet to 192.168.232.0/24 and have the cisco admin change
your subnet on his end as well.

Peter
Christian Brechbühler
2006-11-24 20:45:53 UTC
Permalink
Post by F***@knapp-systems.com
Post by Christian Brechbühler
On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec
SA established. So Openswan seems happy, although
Post by Christian Brechbühler
no packets go through. I suspect now it's a routing/firewalling issue.
Not sure what happened there, because now we changed it back to
192.168.232.0/24, and it still works.

With leftsubnet 192.168.232.10/32, only that ip address on your end will be
Post by F***@knapp-systems.com
able to use the vpn tunnel.
If you want your whole subnet to be able to use it, you must change
leftsubnet to 192.168.232.0/24 and have the cisco admin change
your subnet on his end as well.
Well our subnet is 10.0.0.0/24, so that doesn't match anyway. The Cisco
side instructed us to source-network-addres-translate all packets destinated
to them, which we do with this rule:

-A POSTROUTING -d 10.14.8.0/255.255.255.0 -o eth1 -j SNAT --to-source
192.168.232.10

===============================

Anyway, the problem persists that we cannot get any traffic through the
tunnel. When I tracepath from the VPN gateway to the "NYC" machine, packets
seem to go out to the public internet, not through the tunnel.

For comparison, I'm running an unrelated ipsec tunnel from an outside box
"lithium" running openswan 2.4.4 to our gateway (mentioned above), which
also runs openswan 2.4.4. When I ping or traceroute or ssh from "lithium",
all is fine. In other words, the response packets find their way back to
lithium. But when the VPN gateway initiates any activity, the packets seem
to get lost. Tcpdump doesn't show anything.

BTW, VPN gateway runs 2.6.11-gentoo-r5 (lithium has 2.6.9-1.11_FC2).

Any help to getting packets that start a connection find their way into the
appropriate tunnel would be greatly appreciated. Or suggestions for
tcpdump-ing outgoing packets.

What other info would you need? Output of route? iptables? ipsec.conf?

Thanks
/Christian
Paul Wouters
2006-11-24 22:24:29 UTC
Permalink
Post by Christian Brechbühler
Well our subnet is 10.0.0.0/24, so that doesn't match anyway. The Cisco
side instructed us to source-network-addres-translate all packets destinated
-A POSTROUTING -d 10.14.8.0/255.255.255.0 -o eth1 -j SNAT --to-source
192.168.232.10
Be careful to NAT before IPsec ebcapsulation. With KLIPS that is easy, you
just specify NAT on the ipsec interfaces. With NETKEY it requires 2.6.17+
or so, I am not entirely sure what is currently the proper way of doing
it..

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
f***@knapp.com
2006-11-14 18:56:48 UTC
Permalink
Hello,

the suggestion below to use the same encryption/authentication settings
for esp as for isakmp can be helpful but is anything but guaranteed to
work.
Do ask the Cisco-admin for the "transform-set" to be used, since this
describes the settings you should enter at "esp=".

Cisco IOS does (at least on routers, I don't know about PIX and the like)
define different "transform sets" to be used for the different peers.
The admin should give you the transform-set definition that he/she's
defined to be used for your tunnel.
Example:
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
would define to use triple des for encryption, sha-1 for authentication,
and no compression.
Also be aware of the fact that Cisco IOS (again: on routers) can define a
different DH-group for pfs than for ISAKMP, and also does define by
default esp keylife in both seconds and kilobytes (rather large value)!
I did not yet find a way to not "undefine" that lifetime in kilobytes, as
I on the other hand did not yet find a way to define both lifetimes in
OpenS/Wan - maybe I did not read the whole of the documentation?

If need be, you can mail me for translation between Cisco-IOS- and
OpenS/Wan settings: I do administer both variants.

Best Regards,

Frank Mayer
UNIX Systems Administration / Network Administration
KNAPP Systemintegration GmbH
Post by Peter McGill
Post by Christian Brechbühler
Similar problem here: trying to connect to a Cisco (no idea what
model), we
Post by Peter McGill
Post by Christian Brechbühler
Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
The owner of the Cisco thing tell us that cisco doesn't like
quickmode, and
Post by Peter McGill
Post by Christian Brechbühler
that we have to disable quick mode in openswan.
I believe your Cisco owner is mistaken, as far as I know, all IPSec uses
Quick Mode, although Cisco might not refer to it by that name.
You obviously have your authentication (phase 1/main mode) configuration
alright, now you need to match your encryption/tunnel/ipsec/phase
2/quick mode,
configurations.
if you have an ike= line in your openswan conf, try adding a similaresp=
line.
Post by Peter McGill
For example,
if ike=3des-sha1-modp1024
set esp=3des-sha1
The real problem is the "NO_PROPOSAL_CHOSEN" which means your
not aggreeing on what encryption method to use.
What does your ISAKMP SA established log line say?
Use the same encryption method in your esp line.
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
_______________________________________________
http://lists.openswan.org/mailman/listinfo/users
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
F***@knapp-systems.com
2006-11-15 16:34:41 UTC
Permalink
Hi again,

try setting
leftnexthop=<ip address of your default gw>

It's just that OpenS/WAN sometimes seems to be unable to figure out
routing correctly if you're using "%defaultroute".

OpenS/WAN usually adds a kernel route if you're starting a tunnel like
route add <rightsubnet> gw <leftnexthop>,
if you are "left", or
route add <leftsubnet> gw <rightnexthop>,
if you are "right".
Usually, you need only one of them.
What might be contraproductive in your case (not sure, but on a hunch) is
that you define both "leftnexthop" and "rightnexthop" to be your default
gateway.
If I was in your place, I'd define only leftnexthop.

Best Regards,

Frank Mayer
Team Manager Systems Engineering
UNIX Systems Administration, Network Administration
----------------------------------------------------
KNAPP Systemintegration GmbH
Waltenbachstrasse 9
8700 Leoben, Austria
----------------------------------------------------
Phone: +43 3842 805-921
Fax: +43 3842 82930-921
***@knapp.com
www.knapp.com




"Christian Brechbühler" <***@gmail.com>
15.11.2006 16:26

An
"Peter McGill" <***@goco.net>
Kopie
***@openswan.org, ***@knapp.com
Thema
Re: openSWAN to Cisco IOS






On 11/14/06, Peter McGill <***@goco.net> wrote:
Main mode connects so it is probably correct, I'd stay away from
aggressive mode.

OK.
Post by Peter McGill
There's no ike line (I don't think openswan 2.4.4 supports it). I tried
adding esp=3des-sha1, but with no luck (still stalls at
Post by Peter McGill
STATE_QUICK_I1). What should it be?
It supports it, but it's usually unnecessary, without it openswan just
accepts/trys anything.
Sometimes though other vendors only listen to the first suggestion so the
ike and esp settings become important.
Above is equivalent to:
ike=3des-sha1-modp1024
You'd expect phase 2 to use the same like this
esp=3des-sha1
But that obviosly isn't working if you tried it, so the cisco must have
different options for the different phases'
that's highly irregular, his/her setup might be incorrect or they might
not know what their doing.
Either way, you still need to aggree on a phase 2 connect method as
suggested by Paul and Andy as well.

That esp seems right after all. To summarize what I wrote to Frank Mayer,

They instructed us to set it up as follows,
left=Our_public_IP
leftsubnet=192.168.232.0/24
leftnexthop=%defaultroute
right=Their_public_IP
rightsubnet=10.14.8.0/29
rightnexthop=%defaultroute

On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec
SA established. So Openswan seems happy, although no packets go through.
I suspect now it's a routing/firewalling issue.

I'm particulary confused about the meaning and use of the nexthop
parameters.

/Christian
Paul Wouters
2006-11-15 17:48:58 UTC
Permalink
Post by F***@knapp-systems.com
try setting
leftnexthop=<ip address of your default gw>
It's just that OpenS/WAN sometimes seems to be unable to figure out
routing correctly if you're using "%defaultroute".
Though we think we fixed that in 2.4.7.

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Christian Brechbühler
2006-11-15 20:12:03 UTC
Permalink
Post by F***@knapp-systems.com
Hi again,
try setting
leftnexthop=<ip address of your default gw>
Now that IP shows up in the gateway column when I run route. I think it's a
good thing. Ping to 10.14.8.X doesn't complain anymore about unreachable
host. I'm still not getting anything back, but that may be the other side's
intention (or misconfiguration)

It's just that OpenS/WAN sometimes seems to be unable to figure out
Post by F***@knapp-systems.com
routing correctly if you're using "%defaultroute".
OpenS/WAN usually adds a kernel route if you're starting a tunnel like
route add <rightsubnet> gw <leftnexthop>,
if you are "left", or
route add <leftsubnet> gw <rightnexthop>,
if you are "right".
Yup, I'm getting that now (as route -n shows).

Usually, you need only one of them.
Post by F***@knapp-systems.com
What might be contraproductive in your case (not sure, but on a hunch) is
that you define both "leftnexthop" and "rightnexthop" to be your default
gateway.
The man page says "Relevant only locally, other end need not agree on it".
So I think, as I'm "left", the parameter rightnexthop will be ignored. And
I should take it out to reduce confusion.
Paul Wouters
2006-11-15 21:33:37 UTC
Permalink
Post by Christian Brechbühler
Post by F***@knapp-systems.com
OpenS/WAN
btw. It is "Openswan", not OpenS/WAN or Open/swan :)
Post by Christian Brechbühler
The man page says "Relevant only locally, other end need not agree on it".
So I think, as I'm "left", the parameter rightnexthop will be ignored. And
I should take it out to reduce confusion.
Yes, it is ignored. you can take it out.

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Peter McGill
2006-11-24 21:47:12 UTC
Permalink
Well our subnet is 10.0.0.0/24, so that doesn't match anyway. The Cisco side instructed us to
-A POSTROUTING -d 10.14.8.0/255.255.255.0 -o eth1 -j SNAT --to-source 192.168.232.10
I've never SNAT'd through an Openswan tunnel before so I'm not exactly sure how it would work.
Although if you get it working, I'd like to know how, as I have a situation myself where I'm going to need it.

Let's confirm your setup details, correct me if I'm wrong but your setup is as follows:

Your Private LAN
10.0.0.0/24
|
Openswan 2.4.4 (ipsec --version ?Klips or NETKEY?)
Linux 2.6.11-gentoo-r5
Eth1 public internet interface
|
Internet
|
Cisco
|
Remote Network
10.14.8.0/24

Where does 192.168.232.10 fit in?
Is it just an unused address chosen at the Cisco end to NAT your traffic to them?

Have you tried the SNAT'ing with your lithium test setup?

If I've got your setup right above, then...
First I'd set your leftsubnet=192.168.232.10/32 again (and on the Cisco).
If NETKEY the -o eth1 -j SNAT is good (if that is your external interface.)
With Klips it would be -o ipsec0 -j SNAT ...

That's how I would guess it should work, however again, I've never actually SNAT'd through a tunnel.
Perhaps someone else has, and/or has some insight?

Peter
Christian Brechbühler
2006-11-25 02:16:58 UTC
Permalink
Post by Christian Brechbühler
The Cisco side instructed us to
source-network-addres-translate all packets destinated to them, which we
-A POSTROUTING -d 10.14.8.0/255.255.255.0 -o eth1 -j SNAT --to-source
192.168.232.10
I've never SNAT'd through an Openswan tunnel before so I'm not exactly
sure how it would work.
Although if you get it working, I'd like to know how, as I have a
situation myself where I'm going to need it.
Your Private LAN
10.0.0.0/24
|
Openswan 2.4.4 (ipsec --version ?Klips or NETKEY?)
Linux Openswan U2.4.4/K2.6.11-gentoo-r5 (netkey)

Linux 2.6.11-gentoo-r5
Post by Christian Brechbühler
Eth1 public internet interface
|
Internet
|
Cisco
|
Remote Network
10.14.8.0/24
Actually 10.14.8.0/29 -- the iptables rule is too general. In our view of
the world, the above diagram is correct.

Where does 192.168.232.10 fit in?

Is it just an unused address chosen at the Cisco end to NAT your traffic to
Post by Christian Brechbühler
them?
In the Cisco's view, our subnet is 192.168.232.0/24 -- yes, you're probably
right about the unused address.

Have you tried the SNAT'ing with your lithium test setup?

No, thanks, that's another idea to try.

If I've got your setup right above, then...
Post by Christian Brechbühler
First I'd set your leftsubnet=192.168.232.10/32 again (and on the Cisco).
I don't see a difference in the behavior any more. I assume they changed it
to Xsubnetwithin

If NETKEY the -o eth1 -j SNAT is good (if that is your external interface.)
Post by Christian Brechbühler
With Klips it would be -o ipsec0 -j SNAT ...
Pretty sure it's NETKEY -- see above. No ipsecX interfaces; we have eth0,
eth1, lo, ppp0, and ppp1. The latter two are for Windows machines, which do
PPP over L2TP over IPsec.

That's how I would guess it should work, however again, I've never actually
Post by Christian Brechbühler
SNAT'd through a tunnel.
Perhaps someone else has, and/or has some insight?
I'll let you know if I get it to work. But even without SNAT, I get this
weird situation (not serious, but may be the same issue): When lithium
establishes an IPsec tunnel to the vpn gateway, connections that lithium
initiates (ping, ssh, traceroute, http) work fine. Any connection to
lithium that the gateway initiates fails. Is this normal? I suspect NO,
and the firewall on the gateway may be ruining things.

/Christian
Paul Wouters
2006-11-25 16:43:46 UTC
Permalink
Post by Christian Brechbühler
I'll let you know if I get it to work. But even without SNAT, I get this
weird situation (not serious, but may be the same issue): When lithium
establishes an IPsec tunnel to the vpn gateway, connections that lithium
initiates (ping, ssh, traceroute, http) work fine. Any connection to
lithium that the gateway initiates fails. Is this normal? I suspect NO,
and the firewall on the gateway may be ruining things.
Use leftsourceip=firewallinternalIP

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Christian Brechbühler
2006-11-26 14:53:43 UTC
Permalink
Post by Paul Wouters
Post by Christian Brechbühler
I'll let you know if I get it to work. But even without SNAT, I get
this
Post by Christian Brechbühler
weird situation (not serious, but may be the same issue): When lithium
establishes an IPsec tunnel to the vpn gateway, connections that lithium
initiates (ping, ssh, traceroute, http) work fine. Any connection to
lithium that the gateway initiates fails. Is this normal? I suspect
NO,
Post by Christian Brechbühler
and the firewall on the gateway may be ruining things.
Use leftsourceip=firewallinternalIP
Hi Paul,

Thank you! I haven't gotten it to work yet. Can you spell this out a bit
more, please?

I'd like to tell you first about a connection between two linux/openswan
hosts, which doesn't use SNAT but exhibits the same routing problem.
(Outside IPs changed out of paranoia.)
Here's the layout; the connection is between "lithium" and "vpn"

"lithium" 192.168.2.2 (laptop) -- Linux Openswan U2.4.4/K2.6.9-1.11_FC2(netkey)
|
belkin inside 192.168.2.1 (home router/NAT/firewall)
belkin outside 24.61.22.33 (UDP port 500 forwarded to lithium)
|
internet (ISP Comcast)
...
internet (ISP Speakeasy)
|
"vpn" outside 66.92.44.163 <http://66.92.44.55> -- Linux Openswan
U2.4.4/K2.6.11-gentoo-r5
(netkey)
"vpn" inside 10.0.0.1
|
10.0.0.0/24 private network

ipsec.conf on lithium:
version 2.0 # conforms to second version of ipsec.conf speci

config setup
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16>
interfaces=%defaultroute
plutodebug="control parsing"

conn %default
keyingtries=1
compress=yes
authby=rsasig
right=%defaultroute
rightcert=lithium.pem
leftrsasigkey=%cert
auto=add

conn boston
leftsubnet=10.0.0.0/24
left=66.92.44.163 <http://66.92.44.55>
leftid="C=US, ST=Massachusetts, L=Boston, O=CompanyInc, CN=vpn"

ipsec.conf on "vpn":
version 2.0

config setup
plutodebug="control controlmore"
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24<http://10.0.0.0/8,%25v4:192.168.0.0/16,%25v4:172.16.0.0/12,%25v4:%2110.0.0.0/24>
interfaces=%defaultroute

conn %default
keyingtries=1
compress=yes
auto=add

conn openswan-part
leftsubnet=10.0.0.0/24
#### rightsourceip=192.168.2.1
rightsubnet=vhost:%no,%priv
left=%defaultroute
right=%any
authby=rsasig|secret
leftcert=vpn.pem
rightrsasigkey=%cert

After I bring the the connection up (from lithium), 'route -n' reports the
following new entries
On "lithium":
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.0 192.168.2.1 255.255.255.0 UG 0 0 0 eth0
On "vpn":
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.2.2 66.92.44.161 255.255.255.255 UGH 0 0 0 eth1

And from "lithium", I can reach (ping/ssh/tracepath) "vpn" and other hosts
on the 10.0.0.0/24 network. E.g.:
$ tracepath 10.0.0.1
1?: [LOCALHOST] pmtu 1448
1: lithium.localdomain (192.168.2.2) 0.081ms pmtu
1418
1: 10.0.0.1 (10.0.0.1) 34.536ms reached
Resume: pmtu 1418 hops 1 back 1
So far so good. Obviously I'm also getting the return packets.

The problem: Any traffic initiated by "vpn" toward 192.168.2.2 (lithium)
Paul Wouters
2006-11-26 18:49:59 UTC
Permalink
Post by Christian Brechbühler
Post by Paul Wouters
Post by Christian Brechbühler
initiates (ping, ssh, traceroute, http) work fine. Any connection to
lithium that the gateway initiates fails. Is this normal? I suspect
NO,
Post by Christian Brechbühler
and the firewall on the gateway may be ruining things.
Use leftsourceip=firewallinternalIP
Thank you! I haven't gotten it to work yet. Can you spell this out a bit
more, please?
Christian Brechbühler
2006-11-27 03:23:07 UTC
Permalink
On 11/26/06, Paul Wouters <***@xelerance.com> wrote:
Paul Wouters
2006-11-27 03:58:55 UTC
Permalink
Thanks for the quote! I searched, but leftsourceip is not documented in the
2.4.4 man page. Do you know in which release it was implemented?
It was documented a long long time ago, in a version far far away. But the
man page was only updated in 2.4.7 :)

Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Loading...