From: Boris Popov (boris_at_procedium.com)
Date: Sun Oct 06 2002 - 05:29:27 CEST
I'm having some major problems when trying to establish a PSK-based VPN
tunnel between Astaro linux box (powered by FreeS/WAN) and Symantec
Firewall/VPN appliance 100. Tunnel is established no problems, but few min
later it fails, then it reconnects and does the same thing over and over
again. Attached are logs from both ASL and Symantec box. As you can despite
some error messages the IPSec SA gets established, but fails later. If I'm
running a ping -t with one of the remote ips then I see that packets go
through for a while, then they start timing out, then they start getting
through again. Any ideas?
===============ASL===============
Oct 5 20:11:49 asl Pluto[4067]: "Peer1_1" #50: responding to Quick Mode
Oct 5 20:11:50 asl Pluto[4067]: "Peer1_1" #50: IPsec SA established
Oct 5 20:12:19 asl Pluto[4067]: "Peer1_1" #48: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Oct 5 20:12:19 asl Pluto[4067]: "Peer1_1" #48: starting keying attempt 24 of
an unlimited number
Oct 5 20:12:19 asl Pluto[4067]: "Peer1_1" #51: initiating Main Mode to
replace #48
Oct 5 20:12:22 asl Pluto[4067]: packet from x.x.x.x:500: size (300) differs
from size specified in ISAKMP HDR (40)
Oct 5 20:12:24 asl Pluto[4067]: "Peer1_1" #52: responding to Main Mode
Oct 5 20:12:24 asl Pluto[4067]: "Peer1_1" #52: OAKLEY_DES_CBC is not
supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Oct 5 20:12:24 asl Pluto[4067]: "Peer1_1" #52: OAKLEY_DES_CBC is not
supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Oct 5 20:12:25 asl Pluto[4067]: "Peer1_1" #52: Peer ID is ID_IPV4_ADDR:
'x.x.x.x'
Oct 5 20:12:25 asl Pluto[4067]: "Peer1_1" #52: sent MR3, ISAKMP SA
established
Oct 5 20:12:26 asl Pluto[4067]: "Peer1_1" #53: responding to Quick Mode
Oct 5 20:12:26 asl Pluto[4067]: "Peer1_1" #53: IPsec SA established
Oct 5 20:13:32 asl Pluto[4067]: "Peer1_1" #51: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable re
sponse to our first encrypted message
Oct 5 20:13:32 asl Pluto[4067]: "Peer1_1" #51: starting keying attempt 25 of
an unlimited number
Oct 5 20:13:32 asl Pluto[4067]: "Peer1_1" #54: initiating Main Mode to
replace #51
Oct 5 20:13:35 asl Pluto[4067]: packet from x.x.x.x:500: size (300) differs
from size specified in ISAKMP HDR (40)
Oct 5 20:14:45 asl Pluto[4067]: "Peer1_1" #54: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Oct 5 20:14:45 asl Pluto[4067]: "Peer1_1" #54: starting keying attempt 26 of
an unlimited number
Oct 5 20:14:45 asl Pluto[4067]: "Peer1_1" #55: initiating Main Mode to
replace #54
Oct 5 20:14:48 asl Pluto[4067]: packet from x.x.x.x:500: size (300) differs
from size specified in ISAKMP HDR (40)
Oct 5 20:15:46 asl Pluto[4067]: "Peer1_1" #56: responding to Main Mode
Oct 5 20:15:46 asl Pluto[4067]: "Peer1_1" #56: OAKLEY_DES_CBC is not
supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Oct 5 20:15:46 asl Pluto[4067]: "Peer1_1" #56: OAKLEY_DES_CBC is not
supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Oct 5 20:15:47 asl Pluto[4067]: "Peer1_1" #56: Peer ID is ID_IPV4_ADDR:
'x.x.x.x'
Oct 5 20:15:47 asl Pluto[4067]: "Peer1_1" #56: sent MR3, ISAKMP SA
established
Oct 5 20:15:48 asl Pluto[4067]: "Peer1_1" #57: responding to Quick Mode
Oct 5 20:15:49 asl Pluto[4067]: "Peer1_1" #57: IPsec SA established
Oct 5 20:15:58 asl Pluto[4067]: "Peer1_1" #55: max number of retransmissions
(2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable
response to our first encrypted message
Oct 5 20:15:58 asl Pluto[4067]: "Peer1_1" #55: starting keying attempt 27 of
an unlimited number
Oct 5 20:15:58 asl Pluto[4067]: "Peer1_1" #58: initiating Main Mode to
replace #55
Oct 5 20:16:00 asl Pluto[4067]: packet from x.x.x.x:500: size (300) differs
from size specified in ISAKMP HDR (40)
Oct 5 20:16:16 asl Pluto[4067]: "Peer1_1" #59: responding to Main Mode
Oct 5 20:16:16 asl Pluto[4067]: "Peer1_1" #59: OAKLEY_DES_CBC is not
supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Oct 5 20:16:16 asl Pluto[4067]: "Peer1_1" #59: OAKLEY_DES_CBC is not
supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
Oct 5 20:16:18 asl Pluto[4067]: "Peer1_1" #59: Peer ID is ID_IPV4_ADDR:
'x.x.x.x'
Oct 5 20:16:18 asl Pluto[4067]: "Peer1_1" #59: sent MR3, ISAKMP SA
established
Oct 5 20:16:18 asl Pluto[4067]: "Peer1_1" #60: responding to Quick Mode
Oct 5 20:16:19 asl Pluto[4067]: "Peer1_1" #60: IPsec SA established
===============Symantec===============
10/06/2002 03:11:39.12 System started
10/06/2002 03:12:29.12 Office - Initiating IKE Main Mode
10/06/2002 03:12:29.12 Office - STATE_MAIN_I1: initiate
10/06/2002 03:12:29.62 Office - STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2,
expecting MR2
10/06/2002 03:12:30.47 Office - STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3,
expecting MR3
10/06/2002 03:12:30.47 Office - STATE_MAIN_I4 ISAKMP SA established
10/06/2002 03:12:30.47 Office - Doing Quick Mode with x.x.x.x "Office"
10/06/2002 03:12:30.47 Office - initiating Quick Mode
10/06/2002 03:12:31.02 Office - STATE_QUICK_I1: initiate
10/06/2002 03:12:31.87 Office - STATE_QUICK_I2 sent QI2, IPsec SA
established
10/06/2002 03:12:35.87 Office - responding to Main Mode
10/06/2002 03:12:35.87 Office - STATE_MAIN_R1: from STATE_MAIN_R0; sent MR1,
expecting MI2
10/06/2002 03:12:38.67 Office - STATE_MAIN_R2: from STATE_MAIN_R1; sent MR2,
expecting MI3
10/06/2002 03:12:38.67 - ERR: byte 2 of ISAKMP Identification Payload must
be zero, but is not
10/06/2002 03:12:38.67 Office - ERR:probable authentication (preshared
secret) failure: malformed payload
10/06/2002 03:12:38.67 Office - STATE_MAIN_R2: PAYLOAD_MALFORMED
10/06/2002 03:12:38.67 Office - state transition function for STATE_MAIN_R2
failed: PAYLOAD_MALFORMED
10/06/2002 03:12:38.67 Office - Sending ISAKMP OAK INFO (Notification IKE
SA)
10/06/2002 03:12:38.67 Office - Terminating connection
10/06/2002 03:12:48.72 - ERR:Main Mode message is part of an unknown
exchange
10/06/2002 03:12:48.72 - (null): UNSUPPORTED_EXCHANGE_TYPE
10/06/2002 03:12:48.72 - state transition function for (null) failed:
UNSUPPORTED_EXCHANGE_TYPE
10/06/2002 03:12:48.72 " - Terminating connection
10/06/2002 03:13:08.72 - ERR:Main Mode message is part of an unknown
exchange
10/06/2002 03:13:08.72 - (null): UNSUPPORTED_EXCHANGE_TYPE
10/06/2002 03:13:08.72 - state transition function for (null) failed:
UNSUPPORTED_EXCHANGE_TYPE
10/06/2002 03:13:08.72 ". - Terminating connection
10/06/2002 03:13:16.72 Office - Initiating IKE Main Mode
10/06/2002 03:13:16.72 Office - STATE_MAIN_I1: initiate
10/06/2002 03:13:17.22 Office - STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2,
expecting MR2
10/06/2002 03:13:18.07 Office - STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3,
expecting MR3
10/06/2002 03:13:18.07 Office - STATE_MAIN_I4 ISAKMP SA established
10/06/2002 03:13:18.07 Office - Doing Quick Mode with x.x.x.x "Office"
10/06/2002 03:13:18.07 Office - initiating Quick Mode
10/06/2002 03:13:18.62 Office - STATE_QUICK_I1: initiate
10/06/2002 03:13:19.47 Office - STATE_QUICK_I2 sent QI2, IPsec SA
established
===============END===============
Any help would be greatly appreciated!
-Boris
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Mon Oct 07 2002 - 05:20:19 CEST