Hi all,
at first I will show you my Hardware settings.
ipsec_hardware.jpg
On both Systems (left and right) Ubuntu is run on a virtuall machine with Openswan.
-------------------------------------------------------------------------------------
ifconfig LEFTSIDE:
eth0 Link encap:Ethernet HWaddr xxxxxxxxxxx
inet addr:192.168.183.128 Bcast:192.168.183.255 Mask:255.255.255.0
inet6 addr: xxxxxxxxx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
ifconfig RIGHTSIDE:
eth0 Link encap:Ethernet HWaddr xxxxxxxxxxx
inet addr:192.168.2.116 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: xxxxxxxxx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
-----------------------------------------------------------------------------
LEFTSIDE ipsec.conf:
conn C-to-D
type=tunnel
authby=rsasig
left=192.168.183.128
leftsubnet=192.168.183.0/24
leftrsasig=0sAQNU......
leftnexthop=%defaultroute
right=95.112.17.18
rightsubnet=192.168.2.0/24
rightrsasig=0sAQNU......
auto=add
RIGHTSIDE ipsec.conf:
conn C-to-D
type=tunnel
authby=rsasig
left=37.82.62.12
leftsubnet=192.168.183.0/24
leftrsasig=0sAQNU......
right=192.168.2.116
rightsubnet=192.168.2.0/24
rightnexthop=%defaultroute
rightrsasig=0sAQNU......
auto=add
-----------------------------------------------------
After start ipsec auto --up C-to-D
Message on LEFTSIDE:
104 "C-to-D" #1: STATE_MAIN_I1: initiate
003 "C-to-D" #1: received Vendor ID payload [Openswan (this version) 2.6.37 ]
003 "C-to-D" #1: received Vendor ID payload [Dead Peer Detection]
003 "C-to-D" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "C-to-D" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "C-to-D" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
108 "C-to-D" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "C-to-D" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
003 "C-to-D" #1: received and ignored informational message
010 "C-to-D" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "C-to-D" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "C-to-D" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "C-to-D" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "C-to-D" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "C-to-D" #1: starting keying attempt 2 of an unlimited number, but releasing whack
Message on RIGHTSIDE:
IP 37.x.x.x.941 > 192.168.2.116.500: isakmp: phase 1 I ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 37.x.x.x.941 > 192.168.2.116.500: isakmp: phase 1 I ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 2/others R inf[E]
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 37.x.x.x.940 > 192.168.2.116.500: isakmp: phase 1 I ident
endless loop!
WHAT IS WRONG, has anyone an idea????
thx in advanced
at first I will show you my Hardware settings.
ipsec_hardware.jpg
On both Systems (left and right) Ubuntu is run on a virtuall machine with Openswan.
-------------------------------------------------------------------------------------
ifconfig LEFTSIDE:
eth0 Link encap:Ethernet HWaddr xxxxxxxxxxx
inet addr:192.168.183.128 Bcast:192.168.183.255 Mask:255.255.255.0
inet6 addr: xxxxxxxxx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
ifconfig RIGHTSIDE:
eth0 Link encap:Ethernet HWaddr xxxxxxxxxxx
inet addr:192.168.2.116 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: xxxxxxxxx Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
-----------------------------------------------------------------------------
LEFTSIDE ipsec.conf:
conn C-to-D
type=tunnel
authby=rsasig
left=192.168.183.128
leftsubnet=192.168.183.0/24
leftrsasig=0sAQNU......
leftnexthop=%defaultroute
right=95.112.17.18
rightsubnet=192.168.2.0/24
rightrsasig=0sAQNU......
auto=add
RIGHTSIDE ipsec.conf:
conn C-to-D
type=tunnel
authby=rsasig
left=37.82.62.12
leftsubnet=192.168.183.0/24
leftrsasig=0sAQNU......
right=192.168.2.116
rightsubnet=192.168.2.0/24
rightnexthop=%defaultroute
rightrsasig=0sAQNU......
auto=add
-----------------------------------------------------
After start ipsec auto --up C-to-D
Message on LEFTSIDE:
104 "C-to-D" #1: STATE_MAIN_I1: initiate
003 "C-to-D" #1: received Vendor ID payload [Openswan (this version) 2.6.37 ]
003 "C-to-D" #1: received Vendor ID payload [Dead Peer Detection]
003 "C-to-D" #1: received Vendor ID payload [RFC 3947] method set to=109
106 "C-to-D" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "C-to-D" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
108 "C-to-D" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "C-to-D" #1: ignoring informational payload, type INVALID_KEY_INFORMATION msgid=00000000
003 "C-to-D" #1: received and ignored informational message
010 "C-to-D" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "C-to-D" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "C-to-D" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
003 "C-to-D" #1: discarding duplicate packet; already STATE_MAIN_I3
031 "C-to-D" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "C-to-D" #1: starting keying attempt 2 of an unlimited number, but releasing whack
Message on RIGHTSIDE:
IP 37.x.x.x.941 > 192.168.2.116.500: isakmp: phase 1 I ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 37.x.x.x.941 > 192.168.2.116.500: isakmp: phase 1 I ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 2/others R inf[E]
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 192.168.2.116.500 > 37.x.x.x.941: isakmp: phase 1 R ident
IP 37.x.x.x.940 > 192.168.2.116.500: isakmp: phase 1 I ident
endless loop!
WHAT IS WRONG, has anyone an idea????
thx in advanced