[strongSwan] Error while using "ipsec up <connection name>"

Andreas Steffen andreas.steffen at strongswan.org
Thu Jun 17 16:11:04 CEST 2010 

Hi,

the responder cannot authenticate the initiator

: ignoring informational payload, type INVALID_KEY_INFORMATION

probably because the initiatior didn't send a certificate:

: we don't have a cert

Are you using self-signed certificates? In that case both
certificates must be locally imported on both sides.

Andreas

On 17.06.2010 16:04, Dhanavel P wrote:
> Hi All,*
>         *I*  *am trying to establish an IPsec connection between two hosts..i choose host-host(transport mode) for set up..
>   i have done the needed configuration for this setup and i start IPsec.
>
>
> but some error has been occured  as show below while i execute*"ipsec up sample-self-signed".*And sometimes i got error like
> *Asynchronous network error for eth0*
> *
> *Kindly help me.....*
>
>
> ipsec up sample-self-signed*
>
> [root at INFCH02598 ~]# ipsec up sample-self-signed
> 002"sample-self-signed"  #8: initiating Main Mode
> 104"sample-self-signed"  #8: STATE_MAIN_I1: initiate
>
> 003"sample-self-signed"  #8: received Vendor ID payload [strongSwan]
> 003"sample-self-signed"  #8: received Vendor ID payload [XAUTH]
> 003"sample-self-signed"  #8: received Vendor ID payload [Dead Peer Detection]
>
> 106"sample-self-signed"  #8: STATE_MAIN_I2: sent MI2, expecting MR2
> 002"sample-self-signed"  #8: we don't have a cert
> 108"sample-self-signed"  #8: STATE_MAIN_I3: sent MI3, expecting MR3
>
> 003"sample-self-signed"  #8: ignoring informational payload, type INVALID_KEY_INFORMATION
> 010"sample-self-signed"  #8: STATE_MAIN_I3: retransmission; will wait 20s for response
> 003"sample-self-signed"  #8: next payload type of ISAKMP Hash Payload has an unknown value: 254
>
> 003"sample-self-signed"  #8: malformed payload in packet
> 003"sample-self-signed"  #8: discarding duplicate packet; already STATE_MAIN_I3
> 010"sample-self-signed"  #8: STATE_MAIN_I3: retransmission; will wait 40s for response
>
> 003"sample-self-signed"  #8: next payload type of ISAKMP Hash Payload has an unknown value: 24
> 003"sample-self-signed"  #8: malformed payload in packet
> 003"sample-self-signed"  #8: discarding duplicate packet; already STATE_MAIN_I3
>
> 031"sample-self-signed"  #8: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
> 000"sample-self-signed"  #8: starting keying attempt 2 of at most 3, but releasing whack
>
>
>
> *ipsec statusall*
>
> 000 Status of IKEv1 pluto daemon (strongSwan 4.4.0):
> 000 interface lo/lo ::1:500
> 000 interface lo/lo127.0.0.1:500  <http://127.0.0.1:500>
> 000 interface eth0/eth0172.29.23.110:500  <http://172.29.23.110:500>
>
> 000 %myid ='%any'
> 000 loaded plugins: aes des sha1 md5 sha2 hmac gmp random pem pkcs1
> 000 debug options: control
> 000
> 000"sample-self-signed": 172.29.23.110[C=IN, O=LNT, CN=INFCH02598]...172.29.23.146[C=IN, O=LNT, CN=INFCH00889]; unrouted; eroute owner: #0
>
> 000"sample-self-signed":   ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
> 000"sample-self-signed":   policy: PUBKEY+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth0;
>
> 000"sample-self-signed":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #12:"sample-self-signed"  STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 25s
> 000 #12: pending Phase 2 for"sample-self-signed"  replacing #0
>
> 000 #11:"sample-self-signed"  STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 6s
> 000
>
> *ip xfrm policy*
>
> [root at INFCH02598 ~]# ip xfrm policy
> src ::/0 dst ::/0
>          dir in priority 0 ptype main
>
> src0.0.0.0/0  <http://0.0.0.0/0>  dst0.0.0.0/0  <http://0.0.0.0/0>
>          dir in priority 0 ptype main
> src0.0.0.0/0  <http://0.0.0.0/0>  dst0.0.0.0/0  <http://0.0.0.0/0>
>
>          dir in priority 0 ptype main
> src ::/0 dst ::/0
>          dir out priority 0 ptype main
> src0.0.0.0/0  <http://0.0.0.0/0>  dst0.0.0.0/0  <http://0.0.0.0/0>
>          dir out priority 0 ptype main
>
> src0.0.0.0/0  <http://0.0.0.0/0>  dst0.0.0.0/0  <http://0.0.0.0/0>
>          dir out priority 0 ptype main
>
>
> Thanks in advance
>
> Regards
> Dhanavel

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3430 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100617/0c712d49/attachment.bin>

More information about the Users mailing list