[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Freeswan, suse 9.1 ipsec initialization problem



Dear all,

I have successfully set-up an ipsec tunnel between a suse 9.0 linux with 
freeswan 2.04_1_4_8 and a Cisco PIX 515. I decided to install suse 9.1to a 
new PC  because the previous suse kernel was not working normally after 
freeswan was doing rekeying( ...incoming packet policy failed..blah, blah.).
If anyone knows something about this please tell me.

Anyway, I set-up a suse 9.1 with kernel 2.6. I installed freeswan 2.04_1_5_3
(included in the distribution) during the installation.

I copied the ipsec.conf and ipsec.secrets files as well as the private, public 
and CA certificates from my previous successfull set-up with suse 9.0(kernel 
2.4.21) to my new installation.

I have a big problem now because I cannot even set-up the tunnel.
PIX configuration has not been changed and my old setup is working.
 
Here is the debug:

Sep  9 16:31:37 linux pluto[21125]: added connection description "myconn"
Sep  9 16:31:37 linux pluto[21125]: listening for IKE messages
Sep  9 16:31:37 linux pluto[21125]: adding interface eth0/eth0 192.168.11.46
Sep  9 16:31:37 linux pluto[21125]: adding interface lo/lo 127.0.0.1
Sep  9 16:31:37 linux pluto[21125]: adding interface lo/lo ::1
Sep  9 16:31:37 linux pluto[21125]: loading secrets from "/etc/ipsec.secrets"
Sep  9 16:31:37 linux pluto[21125]:   loaded private key file 
'/etc/ipsec.d/newsuse91.pem' (887 bytes)
Sep  9 16:31:37 linux pluto[21125]: "myconn" #1: initiating Main Mode
Sep  9 16:31:37 linux ipsec__plutorun: 104 "myconn" #1: STATE_MAIN_I1: 
initiate
Sep  9 16:31:37 linux ipsec__plutorun: ...could not start conn "myconn"
Sep  9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload 
[XAUTH]
Sep  9 16:31:37 linux pluto[21125]: "myconn" #1: received Vendor ID payload 
[Dead Peer Detection]
Sep  9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload 
[Cisco-Unity]
Sep  9 16:31:37 linux pluto[21125]: "myconn" #1: ignoring Vendor ID payload 
[3341804bef4cc911...]
Sep  9 16:31:38 linux pluto[21125]: "myconn" #1: Peer ID is ID_FQDN: 
'@pixfw2.x.com'
Sep  9 16:31:38 linux pluto[21125]: "myconn" #1: issuer crl not found
Sep  9 16:31:38 linux pluto[21125]: "myconn" #1: ISAKMP SA established
Sep  9 16:31:38 linux pluto[21125]: "myconn" #2: initiating Quick Mode 
RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1}
Sep  9 16:31:38 linux pluto[21125]: "myconn" #1: ignoring informational 
payload, type NO_PROPOSAL_CHOSEN
Sep  9 16:31:38 linux pluto[21125]: "myconn" #1: ignoring informational 
payload, type IPSEC_INITIAL_CONTACT
Sep  9 16:31:48 linux pluto[21125]: packet from x.x.x.x:500: not enough room 
in input packet for ISAKMP Message (remain=0, sd->size=28)
Sep  9 16:31:48 linux pluto[21125]: packet from x.x.x.x:500: sending 
notification PAYLOAD_MALFORMED to x.x.x.x:500


 And here is my ipsec.conf:

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	forwardcontrol=yes

	

# default settings for connections
conn %default
	ikelifetime=120
	keylife=120
	rekeymargin=30
	#rekeyfuzz=0%
	keyexchange=ike
	esp=3des-md5-96

# Add connections here.
conn myconn
	authby=rsasig
	left=%defaultroute
	leftcert=/etc/ipsec.d/newsuse91.crt
	right=1.1.1.1
	rightid=@xxxxxxxxxxxx
	rightsubnet=x.x.0.0/16
	rightrsasigkey=%cert
	rightca=%same
	pfs=no
	auto=start                 # authorizes but doesn't start this 
                                   # connection at startup

# Switch off Opportunistic Encryption -- BEGIN
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore

conn clear
    auto=ignore

conn packetdefault
    auto=ignore

# Needed?
conn OEself
    auto=ignore
# Switch off Opportunistic Encryption -- END

I receive this NO_PROPOSAL_CHOSEN which I don't receive  using suse 9.0. 
I don't know what's going wrong.
   
Please, give me some advise.

Any thoughts would be appreciated too.

Dimitris Stamatoulis

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here