https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429963#M732659 Hi,<BR />the ipsec/linux version is:<BR />Linux Openswan U2.6.14/K2.6.18-92.1.18.el5 (netkey)<BR /> Wed, 03 Jun 2009 13:43:42 GMT ATIL VOLKAN YILDIRIM_1 2009-06-03T13:43:42Z https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429959#M732655 hi experts,<BR />has anybody come to make ipsec work between linux and hp-ux.<BR />I used openswan on the linux server, but whatever I try,<BR />the tunnel is not being up...Instead it passes phase 1 but stops in<BR />phase 2.<BR /><BR />My hp-ux(11.31) ipsec(A.02.01.01 )conf is:<BR /><BR />ipsec_config show all <BR /> startup <BR /> -autoboot OFF<BR /> -auditlvl ERROR<BR /> -auditdir /var/adm/ipsec<BR /> -maxsize 100<BR /> -spi_min 0x12c<BR /> -spi_max 0x2625a0<BR /> -spd_soft 25<BR /> -spd_hard 50<BR /><BR /> auth aspendos<BR /> -remote 10.1.121.169/32<BR /> -preshared volkan<BR /> -exchange MM<BR /><BR /> ike aspendos<BR /> -remote 10.1.121.169/32<BR /> -priority 20<BR /> -authentication PSK<BR /> -group 2<BR /> -hash SHA1<BR /> -encryption 3DES<BR /> -life 28800<BR /> -maxqm 100<BR /><BR /> gateway default<BR /> -action FORWARD<BR /><BR /> host aspendos_dene<BR /> -source 0.0.0.0/0/0<BR /> -destination 10.1.121.169/32/0<BR /> -protocol 0<BR /> -priority 30<BR /> -action ESP_AES128_HMAC_SHA1/28800/0<BR /> -flags NONE<BR /><BR /> host default<BR /> -action PASS<BR /><BR /><BR />and my openswan(2.6.14) conf is:<BR /><BR />config setup<BR /> # Debug-logging controls: "none" for (almost) none, "all" for lots.<BR /> # klipsdebug=none<BR /> # plutodebug="control parsing"<BR /> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<BR /> protostack=netkey<BR /> nat_traversal=no<BR /> interfaces="ipsec0=bond0"<BR /><BR />#include /etc/ipsec.d/*.conf<BR /><BR />conn %default<BR /> auth=esp<BR /> disablearrivalcheck=no<BR /> keyingtries=1<BR /> keylife=1800s<BR /> ikelifetime=28800s<BR /> pfs=no<BR /> #keyexchange=ikev2<BR /><BR />conn deneme<BR /> authby=secret<BR /> left=10.1.121.169<BR /> leftnexthop=10.1.121.254<BR /> right=10.1.121.162<BR /> rightnexthop=10.1.121.254<BR /> auto=add<BR /> compress=no<BR /> #esp=aes128-sha1<BR /> esp=3des-sha1-96<BR /> ike=3des-sha1-96<BR /> type=transport<BR /><BR /><BR /><BR />When I try to bring up the conn, openswan says:<BR />[root@aspendos etc]# ipsec auto --up deneme<BR />104 "deneme" #5: STATE_MAIN_I1: initiate<BR />003 "deneme" #5: ignoring unknown Vendor ID payload [e4e14cf3b8a3fb199581535b94b0d73c]<BR />106 "deneme" #5: STATE_MAIN_I2: sent MI2, expecting MR2<BR />108 "deneme" #5: STATE_MAIN_I3: sent MI3, expecting MR3<BR />004 "deneme" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<BR />117 "deneme" #6: STATE_QUICK_I1: initiate<BR />010 "deneme" #6: STATE_QUICK_I1: retransmission; will wait 20s for response<BR />010 "deneme" #6: STATE_QUICK_I1: retransmission; will wait 40s for response<BR />031 "deneme" #6: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR /><BR /><BR />and in the hp-ux ipsec log file, it writes:<BR />ipsec_report -audit auditMon-Jun--1-07-38-42-2009.log<BR /><BR />----------------------------- Audit Log -------------------------------<BR />Audit File: /var/adm/ipsec/auditMon-Jun--1-07-38-42-2009.log<BR /><BR />Msg: 1 From: IPSEC_ADMIN Lvl: ALERT Date: Mon Jun 1 07:38:42 2009<BR /> Event: Starting up IPSec/9000.<BR /><BR />Msg: 2 From: IKMPD Lvl: ALERT Date: Mon Jun 1 07:38:42 2009<BR /> Event: mip6mod is not running (instance=0).<BR />Msg: 3 From: SECPOLICYD Lvl: ALERT Date: Mon Jun 1 07:38:42 2009<BR /> Event: Found interface: family=2 name = lan901 addr = 10.1.121.162 flag=0x2<BR />Msg: 4 From: IKMPD Lvl: ALERT Date: Mon Jun 1 07:38:42 2009<BR /> Event: Bind address 10.1.121.162 with INET socket 16.<BR />Msg: 5 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:38:48 2009<BR /> Event: atts GROUP_DESC:Alternate 1024-bit MODP group is not acceptable<BR />Msg: 6 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:38:48 2009<BR /> Event: Rejected Transform ID: KEY_IKE<BR />Msg: 7 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:38:48 2009<BR /> Event: Responder cannot get the ID payload for QM negotiation.<BR />Msg: 8 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:38:48 2009<BR /> Event: Quick Mode verify failed, mess ID 0x9b864ce<BR />Msg: 9 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:38:58 2009<BR /> Event: Responder cannot get the ID payload for QM negotiation.<BR />Msg: 10 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:38:58 2009<BR /> Event: Quick Mode verify failed, mess ID 0x9b864ce<BR />Msg: 11 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:39:18 2009<BR /> Event: Responder cannot get the ID payload for QM negotiation.<BR />Msg: 12 From: IKMPD Lvl: ERROR Date: Mon Jun 1 07:39:18 2009<BR /> Event: Quick Mode verify failed, mess ID 0x9b864ce<BR /><BR />Message Summary:<BR /> Alerts: 4 Errors: 8 Warnings: 0 Informative: 0 Debug: 0 Unknown: 0<BR /><BR />--------------------------- End Audit Log -----------------------------<BR /><BR /><BR />Any helps would be appreciated...<BR /><BR />Thanks... Mon, 01 Jun 2009 04:18:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429959#M732655 ATIL VOLKAN YILDIRIM_1 2009-06-01T04:18:14Z https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429960#M732656 Hi,<BR /><BR />First, it appears the ESP does not match. On HP-UX side it has <BR /><BR />host aspendos_dene<BR />-action ESP_AES128_HMAC_SHA1/28800/0<BR /><BR />On Openswan side it has:<BR /><BR />conn deneme<BR />esp=3des-sha1-96<BR /><BR />Secondly, it would be helpful if the "informative" level logging on hpux side is posted.<BR /><BR />And finally for IPsec support you can follow the support channel and log a support call, the support people can collect more detail info for further investigation.<BR /><BR />Regards,<BR /> Tue, 02 Jun 2009 17:21:40 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429960#M732656 Wenxiao He 2009-06-02T17:21:40Z https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429961#M732657 Hi,<BR />thanks for your reply...aes128 has come from one of my tries I guess, I tried so many things that I should've posted a wrong combination...Anyway, even when using the right parameters the result is the same...<BR /><BR />I guess I'll be calling hp...<BR /><BR />Thanks... Wed, 03 Jun 2009 12:47:41 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429961#M732657 ATIL VOLKAN YILDIRIM_1 2009-06-03T12:47:41Z https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429962#M732658 Shalom,<BR /><BR />Please provide information on the distribution of Linux and the version of IPSEC in use.<BR /><BR /><BR />SEP Wed, 03 Jun 2009 13:34:30 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429962#M732658 Steven E. Protter 2009-06-03T13:34:30Z https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429963#M732659 Hi,<BR />the ipsec/linux version is:<BR />Linux Openswan U2.6.14/K2.6.18-92.1.18.el5 (netkey)<BR /> Wed, 03 Jun 2009 13:43:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/ipsec-between-linux-and-hp-ux/m-p/4429963#M732659 ATIL VOLKAN YILDIRIM_1 2009-06-03T13:43:42Z