<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:8pt;font-family:Bitstream Vera Sans">
<p>Hi folks, I'm having some problems with Openswan and I was hoping someone here could help.</p>
<p></p>
<p>First of all, I'm not a linux newbie by any means, and I have fairly complete knowledge of networking in general. However, I know very little about the internals of VPN.</p>
<p></p>
<p>My company has a Watchguard machine set up at a colo site. The windows users seem to be able to communicate with it fine via WUVPN. </p>
<p></p>
<p>I have a home network behind a Linksys Firewall/Router. The machine that I'm trying to get connected is set up as a DMZ host. I really don't know how this should work at all, and so far I've just been guessing, so I'll start with posting my conf and error messages.</p>
<p></p>
<p>/etc/ipsec.conf:</p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">version 2.0 # conforms to second version of ipsec.conf specification</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono"># basic configuration</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">config setup</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> #interfaces="%defaultroute"</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> interfaces="ipsec0=ath0"</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> nat_traversal=yes</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono"># Add connections here</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">conn MyCompany</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> keyingtries=0</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> authby=secret</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> left=<Watchguard public IP protected></span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> leftnexthop=<Watchguard gateway protected></span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> leftsubnet=10.0.2.0/24</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> # I've also tried my router's public IP and Gateway for the next two</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> right=192.168.1.103</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> rightnexthop=192.168.1.1</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> rightsubnet=192.168.1.0/24</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"> auto=add</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">#Disable Opportunistic Encryption</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">include /etc/ipsec/ipsec.d/examples/no_oe.conf</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">ipsec.secrets</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">192.168.1.103 <Watchguard IP> : PSK "<PSK protected>"</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono"><Router's Public IP> <Watchguard IP> : PSK "<PSK protected>"</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">syslog output:</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">Nov 19 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500: ignoring informational payload, type INVALID_EXCHANGE_TYPE</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">Nov 19 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500: received and ignored informational message</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">The above message repeats...</span></p>
<p></p>
<p><span style="font-family:Bitstream Vera Sans Mono">ipsec auto --up MyCompany:</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">104 "MyCompany" #1: STATE_MAIN_I1: initiate</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">010 "MyCompany" STATE_MAIN_I1: retransmission; will wait 20s for response</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s for response</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s for response</span></p>
<p><span style="font-family:Bitstream Vera Sans Mono">...repeats infinitely...</span></p>
<p></p>
<p>I don't have admin access (or any access for that matter) to the Watchguard, so I can't give much information from it. However, I've just been told that the only message appearing in the Watchguard log is: </p>
<p></p>
<p>Received invalid exchange type. Was expecting Aggressive mode.</p>
<p></p>
<p>I'm using Openswan 2.4.4 which is supposed to support aggressive mode, no?</p>
<p></p>
<p>Thanks in advance for any help offered.</p>
<p></p>
<p>Lenon Kitchens</p>
</body></html>