[strongSwan] strongSwan IKEv1 question

Andreas Steffen andreas.steffen at strongswan.org
Fri May 6 23:26:58 CEST 2011 

Hello,

could it be that the /usr/libexec/ipsec_/_updown script is some
leftover from a previous Openswan installation? Especially so
since strongSwan seems to be installed under /usr/local2/ not
/usr.

Regards

Andreas

On 05/06/2011 10:55 PM, Nan Luo wrote:
>
> Hi, I am trying to setup a IKEv1 tunnel with a Security Gateway using
> strongSwan as client. But the tunnel failed at phase 2 negotiation with
> the following errors, can some one help?
>
> [root at acme94 etc]# /usr/local2/sbin/ipsec up pskv1
> 002 "pskv1" #3: initiating Main Mode
> 102 "pskv1" #3: STATE_MAIN_I1: initiate
> 003 "pskv1" #3: received Vendor ID payload [Dead Peer Detection]
> 104 "pskv1" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 106 "pskv1" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 002 "pskv1" #3: Peer ID is ID_IPV4_ADDR: '172.16.18.102'
> 002 "pskv1" #3: ISAKMP SA established
> 004 "pskv1" #3: STATE_MAIN_I4: ISAKMP SA established
> 002 "pskv1" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using
> isakmp#3}
> 110 "pskv1" #4: STATE_QUICK_I1: initiate
> *002 "pskv1" #4: up-host output: /usr/libexec/ipsec/_updown: obsolete
> interface version `1.1',*
> *002 "pskv1" #4: up-host output: /usr/libexec/ipsec/_updown: \011called
> by obsolete Pluto?*
> *003 "pskv1" #4: up-host command exited with status 2*
> *032 "pskv1" #4: STATE_QUICK_I1: internal error*
> 010 "pskv1" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "pskv1" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "pskv1" #4: max number of retransmissions (2) reached
> STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal
>
> I am running strongSwan4.5.0 with the following configuration:
> strongswan.conf :
>
> # strongswan.conf - strongSwan configuration file
> pluto {
> load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
> }
>
> # pluto uses optimized DH exponent sizes (RFC 3526)
>
> libstrongswan {
> dh_exponent_ansi_x9_42 = no
> }
>
> ipsec.conf :
> # ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> plutodebug=control
> charonstart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> authby=secret
>
> conn pskv1
> left=172.16.18.202
> leftfirewall=yes
> right=172.16.18.102
> rightsubnet=172.16.18.102/32
> auto=add
>
> ipsec.secrets :
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>
> 172.16.18.202 172.16.18.102 : PSK "ipsecsecrets"

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list