Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > users > 03 > 042210.html (Request Expert lists.freeswan.org Support)

[Users] Problem during Negotiation Stage

From: Kristian Du <kristian(at)hitech-sanita.it>
Date: Wed Apr 30 2003 - 07:38:01 EDT


Hi Everyone,

I am trying to create a VPN between two nodes over the Internet. Each machine has its own public IP address. During the negotiation stage, this is what I see in the /var/log/auth.log of both machines:

Sec GW - firenze (establishing the connection. i.e. auto=start): 

Apr 30 11:01:11 bulldog Pluto[6152]: "firenze-milano" #3: initiating Main Mode to replace #2
Apr 30 11:01:21 bulldog Pluto[6152]: packet from 81.208.25.242:500: Main Mode message is part of an unknown exchange
Apr 30 11:01:41 bulldog Pluto[6152]: packet from 81.208.25.242:500: Main Mode message is part of an unknown exchange
Apr 30 11:02:01 bulldog PAM_unix[6254]: (cron) session opened for user root by (uid=0)
Apr 30 11:02:02 bulldog PAM_unix[6254]: (cron) session closed for user root
Apr 30 11:02:22 bulldog Pluto[6152]: "firenze-milano" #3: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Apr 30 11:02:22 bulldog Pluto[6152]: "firenze-milano" #3: starting keying attempt 3 of at most 3
Apr 30 11:02:22 bulldog Pluto[6152]: "firenze-milano" #4: initiating Main Mode to replace #3
Apr 30 11:03:34 bulldog Pluto[6152]: "firenze-milano" #4: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

Sec GW - milano 2 (establishing the connection. i.e. auto=add): 

Apr 30 11:35:19 ciuaua pluto[6309]: "firenze-milano" #4: multiple ipsec.secrets entries with distinct secrets match endpoints: first secret used
Apr 30 11:35:19 ciuaua pluto[6309]: "firenze-milano" #4: sent MR3, ISAKMP SA established
Apr 30 11:35:29 ciuaua pluto[6309]: "firenze-milano" #4: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Apr 30 11:35:49 ciuaua pluto[6309]: "firenze-milano" #4: retransmitting in response to duplicate packet; already STATE_MAIN_R3

It seems to me like the firenze SG initiating the connection is not receiving replies from the milano SG: milano replies to duplicate packets which leads me to think that firenze is not receiving the retransmissions. The firewall on firenze has been completely disabled. I don't know how to diagnose the problem at this point.

Furthermore, I have tried with manual start, and this is what I am getting:

root@firenze# ipsec auto --verbose --up firenze-milano 

002 "firenze-milano" #1: initiating Main Mode
104 "firenze-milano" #1: STATE_MAIN_I1: initiate
106 "firenze-milano" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "firenze-milano" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Do you need help?X

010 "firenze-milano" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
010 "firenze-milano" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "firenze-milano" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

Does anybody have any clue!?
Help would be much appreciated. 

-- 
Kristian Du 

_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
Received on Thu May 1 21:21:46 2003
Do you need more help?X

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:01:29 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library