Dear Lorry,
you should set "plutodebug=all" and look at the produces log message (can be quite
large). From the output you have posted to me, Pluto is able to negotiate the Phase 1
SA (004 "hp100-hp200" #1: STATE_MAIN_I4: ISAKMP SA established), but the Phase 2 SA
does not succeed. Pluto should tell you more in its logs (on hp200) why it can't
finish Phase 2. I personally suspect that there are some problems with the routing,
probably related to the /124 you are using.
Can you change your IPv6 addresses to be /64? /124 are not really common and probably
not well supported in the old linux kernels. Additionally, there have been discussion
if /124 do really make sense or if a /64 should be the smallest subnet with IPv6 :-)
(this is really quite different to IPv4).
Hope this helps,
Gerhard
PS: Please don't send such message via the list AND in private via seperate mails.
Either use the list (which I recommend) or send the in private if necessary.
--------------------------------------------
Gerhard Ge�ler
Communication Networks, IABG mbH
Einsteinstr. 20
85521 Ottobrunn, Germany
Telefon: +49 89 6088 - 2021
Fax: +49 89 6088 - 2845
E-Mail: [EMAIL PROTECTED]
> -----Original Message-----
> From: lorry [mailto:[EMAIL PROTECTED]
> Sent: Saturday, August 02, 2003 5:27 AM
> To: [EMAIL PROTECTED]
> Subject: [Users]A big problem about configure FreeS/WAN IPV6Patch!
>
>
> usersHi, all
>
> I get a big problem about configuring FreeS/WAN IPV6Patch.
> I have two hosts, one has two network-interface-cards, the cother
> has three cards. I configure every card an IPV4 addrress
> and IPV6 address.
> I install FreeS/WAN IPV6Patch on each gateway and verify
> it, everything is ok!
> Then I make an experiment on IPV6 Transport Mode support as
> the documention said,
> but I get failure!
>
> The topology of my network is:
> HP100.ntl.ict.ac.cn(eth0,eth1)------------------------HP200.
ntl.ict.ac.cn(eth0,eth1,eth2)
> HP100
> eth0
> IPV6ADDR='2001:250:f006:1::450/124'
> IPADDR='192.168.6.110/16'
> eth1
> IPV6ADDR='2001:250:f006:1::440/124'
> IPADDR='192.168.6.111/16'
>
> HP200
> eth0
> IPV6ADDR='2001:250:f006:1::451/124'
> IPADDR='192.168.6.112/16'
> eth1
> IPV6ADDR='2001:250:f006:1::460/124'
> IPADDR='192.168.6.113/16'
> eth2
> IPV6ADDR='2001:250:f006:1::461/124'
> IPADDR='192.168.6.114/16'
>
> I modify the ipsec.conf as the "Transport Mode Example" said,
> # /etc/ipsec.conf - FreeS/WAN IPSEC configuration file
>
> # basic configuration
> config setup
> # specific or %defaultroute which is okay for most simple cases
> interfaces="ipsec0=eth0"
> klipsdebug=none
> plutodebug=none
> plutoload=%search
> plutostart=%search
>
> # defaults for subsequent connection descriptions
> conn %default
> keyingtries=0
>
> conn hp100-hp200
> [EMAIL PROTECTED]
> leftrsasigkey=0sAQ...
> left=2001:250:f006:1::450
> leftsubnet=
> [EMAIL PROTECTED]
> rightrsasigkey=0sAQ...
> right=2001:250:f006:1::451
> rightsubnet=
> keyingtries=2
> ikelifetime=55m
> keylife=52m
> rekeymargin=30s
> rekeyfuzz=1%
> authby=rsasig
> type=transport
> connaddrfamily=ipv6
> auto=add
>
> Then I restart ipsec and startup the "hp100-hp200"
> connection,I get failure.
> [EMAIL PROTECTED] lorry]# service ipsec restart
> ipsec_setup: Stopping FreeS/WAN IPsec...
> ipsec_setup: IPv6/IPsec security policy database
> ipsec_setup: SPD6 cleared.
> ipsec_setup: Starting FreeS/WAN IPsec U1.99/K1.91...
> [EMAIL PROTECTED] lorry]# ipsec auto --up hp100-hp200
> 104 "hp100-hp200" #1: STATE_MAIN_I1: initiate
> 106 "hp100-hp200" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "hp100-hp200" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "hp100-hp200" #1: STATE_MAIN_I4: ISAKMP SA established
> 112 "hp100-hp200" #2: STATE_QUICK_I1: initiate
> 010 "hp100-hp200" #2: STATE_QUICK_I1: retransmission; will
> wait 20s for response
> 010 "hp100-hp200" #2: STATE_QUICK_I1: retransmission; will
> wait 40s for response
> 031 "hp100-hp200" #2: max number of retransmissions (2)
> reached STATE_QUICK_I1.
> No acceptable response to our first Quick Mode message:
> perhaps peer likes no proposal
> 000 "hp100-hp200" #2: starting keying attempt 2 of at most
> 2, but releasing whack
>
> I also find the HP200 is down and can't respond to any key.
>
> Does anyone knows where i am going wrong or know how to
> solve this problem?
> Any help would be greatly appreciated.
> Thanks in advance!
>
> Lorry
>
>
>
>
>
>
>
