whitfield
asked on
VPN between free s/wan and cisco 3000
I'm trying to establish a VPN with IPSec between Free S/WAN and a Cisco 3000 concentrator. The Interface on my Linux firewall limits the configurations available to me so tweeks need to be made at the cisco end.
I get the following at the Free S/WAN end:
000 "remote_site": 192.xxx.xxx.xxx/32===193.x
000 "remote_site": ...194.xxx.xxx.xxx===192.x
000 "remote_site": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_
fuzz: 100%; keyingtries: 0
000 "remote_site": policy: POLICY_PSK+POLICY_ENCRYPT+
erface: eth1; routed
000 "remote_site": newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0
000 #3: "remote_site" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in
26s
000 #1: "remote_site" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 25
73s; newest ISAKMP
conn remote_site
So you see the first handshake stage is completed successfully. The cisco then complains of a Policy incompatibility (no useful fault numbers I'm afraid). I assume it's the PFS policy (set to "yes" in Free S/WAN; various leves on cisco 1, 2, & 5 from memory)
Any assistance of where to look / references to docs etc. would be greatfully appreciated
I get the following at the Free S/WAN end:
000 "remote_site": 192.xxx.xxx.xxx/32===193.x
000 "remote_site": ...194.xxx.xxx.xxx===192.x
000 "remote_site": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_
fuzz: 100%; keyingtries: 0
000 "remote_site": policy: POLICY_PSK+POLICY_ENCRYPT+
erface: eth1; routed
000 "remote_site": newest ISAKMP SA: #1; newest IPsec SA: #0; eroute owner: #0
000 #3: "remote_site" STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in
26s
000 #1: "remote_site" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 25
73s; newest ISAKMP
conn remote_site
So you see the first handshake stage is completed successfully. The cisco then complains of a Policy incompatibility (no useful fault numbers I'm afraid). I assume it's the PFS policy (set to "yes" in Free S/WAN; various leves on cisco 1, 2, & 5 from memory)
Any assistance of where to look / references to docs etc. would be greatfully appreciated
ASKER
Thanks mbruner
Here's the cisco end:
153 07/26/2002 15:45:16.890 SEV=4 IKE/119 RPT=340 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
154 07/26/2002 15:45:16.890 SEV=4 AUTH/22 RPT=264
User 193.xxx.xxx.xxx connected
155 07/26/2002 15:45:17.010 SEV=5 IKE/35 RPT=102 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
158 07/26/2002 15:45:17.010 SEV=5 IKE/34 RPT=131 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 192.yyy.yyy.yyy, Mask 255.255.255.255, Protocol 0, Port 0
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
163 07/26/2002 15:45:17.010 SEV=4 IKEDBG/0 RPT=251
QM FSM error (P2 struct &0x1c30ae8, mess id 0x47a38a9a)!
164 07/26/2002 15:45:17.010 SEV=4 IKEDBG/0 RPT=252
QM FSM history (P2 struct &0x1c30ae8):
[13, 52], [3, 32], [3, 44], [3, 31]
165 07/26/2002 15:45:17.020 SEV=4 AUTH/23 RPT=175 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:00
Any clearer?
Here's the cisco end:
153 07/26/2002 15:45:16.890 SEV=4 IKE/119 RPT=340 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
154 07/26/2002 15:45:16.890 SEV=4 AUTH/22 RPT=264
User 193.xxx.xxx.xxx connected
155 07/26/2002 15:45:17.010 SEV=5 IKE/35 RPT=102 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
158 07/26/2002 15:45:17.010 SEV=5 IKE/34 RPT=131 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 192.yyy.yyy.yyy, Mask 255.255.255.255, Protocol 0, Port 0
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
163 07/26/2002 15:45:17.010 SEV=4 IKEDBG/0 RPT=251
QM FSM error (P2 struct &0x1c30ae8, mess id 0x47a38a9a)!
164 07/26/2002 15:45:17.010 SEV=4 IKEDBG/0 RPT=252
QM FSM history (P2 struct &0x1c30ae8):
[13, 52], [3, 32], [3, 44], [3, 31]
165 07/26/2002 15:45:17.020 SEV=4 AUTH/23 RPT=175 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:00
Any clearer?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Looks like you were on to something. We changed the source and destination as suggested and the tunnel is visible from the Cisco end for a variable but brief period. At the Linux end I see:
Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
(2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.
The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
[13, 52], [8, 5], [8, 65535], [4, 4]
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30
Where should I look next?
Thanks
Richard
Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
(2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.
The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
[13, 52], [8, 5], [8, 65535], [4, 4]
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30
Where should I look next?
Thanks
Richard
ASKER
Looks like you were on to something. We changed the source and destination as suggested and the tunnel is visible from the Cisco end for a variable but brief period. At the Linux end I see:
Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
(2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.
The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
[13, 52], [8, 5], [8, 65535], [4, 4]
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30
Where should I look next?
Thanks
Richard
Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
(2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.
The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
[13, 52], [8, 5], [8, 65535], [4, 4]
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30
Where should I look next?
Thanks
Richard
ASKER
Looks like you were on to something. We changed the source and destination as suggested and the tunnel is visible from the Cisco end for a variable but brief period. At the Linux end I see:
Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
(2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.
The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
[13, 52], [8, 5], [8, 65535], [4, 4]
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30
Where should I look next?
Thanks
Richard
Jul 30 14:34:58 pcfw2 Pluto[16931]: added connection description "remote_site"
Jul 30 14:35:10 pcfw2 Pluto[16931]: "remote_site" #1: initiating Main Mode
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Vendor ID payload
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #1: ISAKMP SA established
Jul 30 14:35:12 pcfw2 Pluto[16931]: "remote_site" #3: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:35:13 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:20 pcfw2 Pluto[16931]: "remote_site" #3: our client ID returned doesn't match my proposal
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: ignoring Delete SA payload
Jul 30 14:35:43 pcfw2 Pluto[16931]: "remote_site" #1: received and ignored informational message
Jul 30 14:36:12 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: max number of retransmissions
(2) reached STATE_QUICK_I1
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #3: starting keying attempt 2 of an unlimited number
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #7: initiating Quick Mode POLICY_
PSK+POLICY_ENCRYPT+POLICY_
Jul 30 14:36:42 pcfw2 Pluto[16931]: "remote_site" #1: Informational Exchange message for an established ISAKMP SA must be encrypted
This looks like an incompatibility in keying; if it were encryption it surely wouldn't succeed at all.
The Cisco end log is:
688 07/30/2002 13:34:58.600 SEV=4 IKE/119 RPT=360 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
PHASE 1 COMPLETED
689 07/30/2002 13:34:58.600 SEV=4 AUTH/22 RPT=273
User 193.xxx.xxx.xxx connected
690 07/30/2002 13:34:58.710 SEV=5 IKE/35 RPT=120 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
693 07/30/2002 13:34:58.710 SEV=5 IKE/34 RPT=149 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 172.yyy.yyy.yyy, Mask 255.255.255.0, Protocol 0, Port 0
696 07/30/2002 13:34:58.710 SEV=5 IKE/66 RPT=176 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
IKE Remote Peer configured for SA: L2L: linux_tunnel
697 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=259
QM FSM error (P2 struct &0x1c3ded4, mess id 0xff81598b)!
698 07/30/2002 13:35:28.650 SEV=4 IKEDBG/0 RPT=260
QM FSM history (P2 struct &0x1c3ded4):
[13, 52], [8, 5], [8, 65535], [4, 4]
699 07/30/2002 13:35:28.660 SEV=4 AUTH/23 RPT=179 193.xxx.xxx.xxx
User 193.xxx.xxx.xxx disconnected: duration: 0:00:30
Where should I look next?
Thanks
Richard
Check out this link and the document linked to page. It may help you sort things out.
In the meantime, I'll look into this further and see if I can come up with anything.
In the meantime, I'll look into this further and see if I can come up with anything.
DOH! Stinking enter key!! %^$#^&%#@~!!!
Here is the link: http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html
Here is the link: http://www.sandelman.ottawa.on.ca/linux-ipsec/html/2000/11/msg00578.html
ASKER
Hi Again
The issue was basically a different in source and destination networks as you suggested. We then went through an issue of "Duplicate first packet detected!" on the Cisco end, which turned out to be an inability to reply to the IKE request; this was resolved by correcting the default route; most of the threads in user groups refer to UDP port 10000 being opened but we know this wasn't the issue.
You probably know all this - but I'm fed up following threads with no conclusion, just a "thanks, that fixed it."
Thanks for all your help.
The issue was basically a different in source and destination networks as you suggested. We then went through an issue of "Duplicate first packet detected!" on the Cisco end, which turned out to be an inability to reply to the IKE request; this was resolved by correcting the default route; most of the threads in user groups refer to UDP port 10000 being opened but we know this wasn't the issue.
You probably know all this - but I'm fed up following threads with no conclusion, just a "thanks, that fixed it."
Thanks for all your help.
question for whitfield regarding the changes to the config if thats ok, in your first list of debug info from the concentrator, the remote and local IP's are 192.x.x.x
155 07/26/2002 15:45:17.010 SEV=5 IKE/35 RPT=102 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
158 07/26/2002 15:45:17.010 SEV=5 IKE/34 RPT=131 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 192.yyy.yyy.yyy, Mask 255.255.255.255, Protocol 0, Port 0
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
in a follow-up posting the local IP Proxy subnet had changed to a 172.x.y.z address. What were the original networks you were trying to link together?
We have exactly the same issue with a freeS/wan and cisco 3005 unit. the internal networks we want to connect are 192.168.52.0 (cisco end) and 192.168.50.0 (freeswan end) if we configure the cisco and freeswan units with these values for the local and remote (left and right on freeswan) networks, the tunnel fails to establish with the same error:
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
but if the 192.168.52.0 network is changed to 172.28.1.0/0.0.0.255 then the tunnel works, but the 192.168.52.0 network is no seen as 172.28.1.x which is wrong
how did you fix that?
cheers
Gary
155 07/26/2002 15:45:17.010 SEV=5 IKE/35 RPT=102 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received remote IP Proxy Subnet data in ID Payload:
Address 192.xxx.xxx.xxx, Mask 255.255.255.255, Protocol 0, Port 0
158 07/26/2002 15:45:17.010 SEV=5 IKE/34 RPT=131 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Received local IP Proxy Subnet data in ID Payload:
Address 192.yyy.yyy.yyy, Mask 255.255.255.255, Protocol 0, Port 0
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
in a follow-up posting the local IP Proxy subnet had changed to a 172.x.y.z address. What were the original networks you were trying to link together?
We have exactly the same issue with a freeS/wan and cisco 3005 unit. the internal networks we want to connect are 192.168.52.0 (cisco end) and 192.168.50.0 (freeswan end) if we configure the cisco and freeswan units with these values for the local and remote (left and right on freeswan) networks, the tunnel fails to establish with the same error:
161 07/26/2002 15:45:17.010 SEV=4 IKE/61 RPT=16 193.xxx.xxx.xxx
Group [193.xxx.xxx.xxx]
Tunnel rejected: Policy not found for Src:192.xxx.xxx.xxx, Dst: 192.yyy.yyy.yyy!
but if the 192.168.52.0 network is changed to 172.28.1.0/0.0.0.255 then the tunnel works, but the 192.168.52.0 network is no seen as 172.28.1.x which is wrong
how did you fix that?
cheers
Gary
Very weird. Let me make sure I have everything straight in my mind. Is this close the network design you want?
192.168.50.0/24---[Freeswa
You know, you'd get a lot more help if you posted a new question on this. There are some REALLY sharp people here that might be able to answer this much quicker than us.
192.168.50.0/24---[Freeswa
You know, you'd get a lot more help if you posted a new question on this. There are some REALLY sharp people here that might be able to answer this much quicker than us.
mbruner,
thanks for the reply - and yep I agree with you regarding the REALLY sharp people on here :) - i'd posted a question on the Security/Firewalls section but no response as of yet.
The design you have is exactly correct. Since i posted the original question we have managed to get the tunnel working correctly with the proper addressing scheme. We could get the tunnel working with the 192.168.50.0 and 172.28.1.0 addresses but this meant that a translation was occuring which we didn't want.
The tunnel has now been up for 24 hours with the 192.168.50.0 and 192.168.52.0 addresses :)
so we can ping/telnet etc from PCs in 192.168.52.0 to provide remote support for those in 192.168.50.0
cheers
Gary
thanks for the reply - and yep I agree with you regarding the REALLY sharp people on here :) - i'd posted a question on the Security/Firewalls section but no response as of yet.
The design you have is exactly correct. Since i posted the original question we have managed to get the tunnel working correctly with the proper addressing scheme. We could get the tunnel working with the 192.168.50.0 and 172.28.1.0 addresses but this meant that a translation was occuring which we didn't want.
The tunnel has now been up for 24 hours with the 192.168.50.0 and 192.168.52.0 addresses :)
so we can ping/telnet etc from PCs in 192.168.52.0 to provide remote support for those in 192.168.50.0
cheers
Gary
Just for reference, you get this info by going to "Monitoring" then to "Filterable Event Log". Clicking the "Get Log" button should show a window with your event log info. The latest information at the bottom of the log.
Here is a link to Cisco's VPN 3000 documentation: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/index.htm
If you could also browse around Cisco's TAC website: http://www.cisco.com/tac
or more specifically:
http://www.cisco.com/warp/public/471/top_issues/vpn/vpn_index.shtml
Hope it helps!