Help! ipsec not talking IKE

From: Colin McKinnon (colin.deletethis_at_andthis.mms3.com)
Date: 11/15/04 

Date: Mon, 15 Nov 2004 15:21:58 +0000

Hi All,

I'm trying to get ipsec working (TOTAL ipsec newbie). I'm trying to get a
host-to-host setup, with a PSK going as a test/proof of concept. Both
machines are on the same subnet, but to avoid interfering with what's
happenning currently, I've setup aliases on the two machines on a new
subnet (ifconfig eth0:1 netmask 255.255.255.0 192.168.2.1 and ....2).

Before I startup ipsec, I can ping and ssh across the link so traffic seems
to be moving OK. But when I start ipsec on both ends, it does not seem able
to negotiate keys.

I've tried switching off the firewall at both ends to no avail, both
machines are listening on port 500.

Anybody any ideas?

(full details below)

TIA,

C.

Error message is:
Nov 15 13:27:45 glasgow ipsec__plutorun: 031 "test" #1: max number of
retransmissions (2) reached STATE_MAIN_I1. No acceptable response to our
first IKE message
Nov 15 13:27:45 glasgow ipsec__plutorun: 000 "test" #1: starting keying
attempt 2 of at most 5, but releasing whack
Nov 15 13:27:45 glasgow ipsec__plutorun: ...could not start conn "test"
Nov 15 13:28:55 glasgow pluto[21461]: "test" #4: max number of
retransmissions (2) reached STATE_MAIN_I1. No acceptable response to our
first IKE message
Nov 15 13:28:55 glasgow pluto[21461]: "test" #4: starting keying attempt 3
of at most 5
Nov 15 13:28:55 glasgow pluto[21461]: "test" #5: initiating Main Mode to
replace #4

ipsec.conf is as follows:
config setup
        interfaces="ipsec0=eth0:1"
        klipsdebug=none
        plutodebug=all
        plutoload=%search
        plutostart=%search
        uniqueids=yes
conn test
        type=transport
        right=192.168.2.1
        rightid=192.168.2.1
        left=192.168.2.2
        leftid=192.168.2.2
        leftnexthop=%direct
        keyexchange=ike
        keylife=8h
        keyingtries=5
        pfs=yes
        rekeymargin=20m
        rekeyfuzz=30%
        auth=esp
        authby=secret
        auto=start
----------
I've not setup anything specific in DNS (my understanding is that this is
not needed for PSK).
Both machines have the following at the end of /etc/ipsec.secrets (after
unique RSA stuff):
192.168.2.2 192.168.2.1: PSK "MyTestSecret"
Both ends are running SuSE with Freeswan 1.99_0.9.34-93

Relevant Pages

  • Re: IPSEC config
    ... >> I'm trying to setup a IPSec tunnel and am having trouble. ... >> for a transport between the two machines it works fine, ... >> I'm following the IPsec mini-HOWTO from January 2001 daemonnews. ...
    (FreeBSD-Security)
  • Re: Help! ipsec not talking IKE
    ... > I'm trying to get ipsec working. ... I've setup aliases on the two machines on ... > our first IKE message ...
    (comp.os.linux.security)
  • L2TP over IPSec
    ... The client's are Windows XP machines. ... I reckon I've got the IPSec running, but have no idea how to setup ...
    (freebsd-questions)
  • Re: Should I install Certificate Authority to solve these problems ?
    ... You can use IPsec with or without certs from your PKI. ... negotiations to your AD machines or those trusting the ... > In the item 1 below, the tool in use is a HP server management tool (type ... >>> Management is pushing to get Certificate Authority ...
    (microsoft.public.win2000.security)
  • Re: How to change Windows server 2003 Domain User password?
    ... desktop with common files or shortcuts on desktop. ... If you want the same desktop definitions you can setup users with roaming ... Check DNS (domain machines should point ONLY to their local DNS), ... the problem could be on server configuration or services ...
    (microsoft.public.windows.server.active_directory)