[strongSwan] PHASE 2 not Working ike1

christopher kamutumwa chriskamutumwa at gmail.com
Wed Mar 16 16:30:55 CET 2016


Hi,

I have installed strongswan on Ubuntu and am failing to pass phase 2
below is log from the cisco router we are trying to connect to can
someone help me understand where the problem is.

*Mar 15 08:36:26.353: ISAKMP:(0:396:SW:1):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
*Mar 15 08:36:26.353: ISAKMP:(0:396:SW:1):Old State = IKE_P1_COMPLETE
New State = IKE_P1_COMPLETE

*Mar 15 08:36:26.509: ISAKMP (0:0): received packet from 41.189.70.2
dport 500 sport 500 Global (R) MM_NO_STATE
*Mar 15 08:36:26.541: ISAKMP (0:134218124): received packet from
185.3.95.94 dport 500 sport 500 Global (R) QM_IDLE
*Mar 15 08:36:26.541: ISAKMP: set new node -203387855 to QM_IDLE
*Mar 15 08:36:26.541: ISAKMP:(0:396:SW:1): processing HASH payload.
message ID = -203387855
*Mar 15 08:36:26.541: ISAKMP:(0:396:SW:1): processing SA payload.
message ID = -203387855
*Mar 15 08:36:26.541: ISAKMP:(0:396:SW:1):Checking IPSec proposal 0
*Mar 15 08:36:26.541: ISAKMP: transform 1, ESP_3DES
*Mar 15 08:36:26.541: ISAKMP:   attributes in transform:
*Mar 15 08:36:26.541: ISAKMP:      authenticator is HMAC-SHA
*Mar 15 08:36:26.545: ISAKMP:      encaps is 1 (Tunnel)
*Mar 15 08:36:26.545: ISAKMP:      SA life type in seconds
*Mar 15 08:36:26.545: ISAKMP:      SA life duration (basic) of 28800
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1):atts are acceptable.
*Mar 15 08:36:26.545: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 41.72.111.122, remote= 185.3.95.94,
    local_proxy= 200.32.15.153/255.255.255.255/0/0 (type=1),
    remote_proxy= 192.168.200.177/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar 15 08:36:26.545: Crypto mapdb : proxy_match
        src addr     : 200.32.15.153
        dst addr     : 192.168.200.177
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar 15 08:36:26.545: Crypto mapdb : proxy_match
        src addr     : 200.32.15.153
        dst addr     : 192.168.200.177
        protocol     : 0
        src port     : 0
        dst port     : 0
*Mar 15 08:36:26.545: Crypto mapdb : proxy_match
        src addr     : 200.32.15.153
        dst addr     : 192.168.200.177
        protocol     : 0
        src port     : 0
Zamtel#
        dst port     : 0
*Mar 15 08:36:26.545: IPSEC(validate_transform_proposal): peer address
185.3.95.94 not found
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1): IPSec policy invalidated proposal
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1): phase 2 SA policy not
acceptable! (local 41.72.111.122 remote 185.3.95.94)
*Mar 15 08:36:26.545: ISAKMP: set new node 880379161 to QM_IDLE
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1):Sending NOTIFY
PROPOSAL_NOT_CHOSEN protocol 3
        spi 1676566344, message ID = 880379161
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1): sending packet to
185.3.95.94 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1):purging node 880379161
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1):deleting node -203387855
error TRUE reason "QM rejected"
*Mar 15 08:36:26.545: ISAKMP (0:134218124): Unknown Input
IKE_MESG_FROM_PEER, IKE_QM_EXCH:  for node -203387855: state =
IKE_QM_READY
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1):Node -203387855, Input =
IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 15 08:36:26.545: ISAKMP:(0:396:SW:1):Old State = IKE_QM_READY
New State = IKE_QM_READY


More information about the Users mailing list