<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2802" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2>Jason,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2>Have you had a luck with getting Openswan to work
with Watchguard Firebox II yet?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2>I did this approx 2 years ago!! and so far as I am aware
the formula should still work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2>Which version of Firebox software are you using ? You will
need at least version 5.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=656101923-17012006><FONT face=Arial
color=#0000ff size=2>I have never used Aggressive mode, but have chosen to use
PSK with LAN to LAN networks. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2></FONT> </DIV>
<P class=section1 align=left>--<BR>Paul Overton<BR></P><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Jason
Green<BR><B>Sent:</B> 16 January 2006 22:55<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] Using Openswan 2.4.0 with
a Watchguard Firebox II<BR></FONT><BR></DIV>
<DIV></DIV>I'm running Openswan U2.4.0/K2.6.12-10-amd64-generic on Ubuntu Breezy
and trying to connect to a Watchguard Firebox II with no success. I have
full access to the router and can make whatever changes are necessary. The
old Interoperating wiki for Watchguard seems quite out of date, since many of
the options on the original mailing post are no longer valid. One
caveat... I'm running this on my Linux box which is behind my Zyxel
Firewall. The Zywall has an option to forward IPSEC requests for
VPNs. This works fine using the Watchguard Windows client MUVPN, but I'm
trying to avoid running Windows.<BR><BR><BR>Here's the error lists that I get on
my Watchguard System Manager:<BR><BR>>From <my remote ip> AG-HDR
ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID<BR>Proposal is unacceptable:
mess_id=0<BR>Sending NO_PROPOSAL_CHOSEN message<BR>Error processing
(sa)<BR>Agresssive Mode processing failed<BR>Header invalid (unable to verify,
msg = ISA_SA)<BR><BR>following by "Skipping duplicate packet from <my remote
ip>"<BR><BR><BR>And, here is the error I get from running "ipsec auto --up
my_connection":<BR>003 "my_connection" #1: multiple transforms were set in
aggressive mode. Only first one used.<BR>003 "my_connection" #1: transform
(5,2,2,0) ignored.<BR>003 "my_connection" #1: multiple transforms were set in
aggressive mode. Only first one used.<BR>003 "my_connection" #1: transform
(5,2,2,0) ignored.<BR>112 "my_connection" #1: STATE_AGGR_I1: initiate<BR>010
"my_connection" #1: STATE_AGGR_I1: retransmission; will wait 20s for
response<BR><BR><BR>Here's my ipsec.conf file:<BR><BR>version
2.0 # conforms to second version of ipsec.conf
specification<BR><BR># basic configuration<BR>config
setup<BR>
interfaces=%defaultroute<BR>
klipsdebug=none<BR>
plutodebug=none<BR>
uniqueids=yes<BR><BR># Add connections here<BR>conn
my_connection<BR>
type=tunnel<BR>
keyingtries=0<BR>
authby=secret<BR> left=<A
href="http://192.168.1.34"></B></FONT></B></FONT></B></FONT></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.34" claiming to be</b></font> <font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.1.34" claiming to be <FONT
color=red><B>MailScanner has detected a possible fraud attempt from
"192.168.1.34" claiming to be <FONT color=red><B>MailScanner has detected a
possible fraud attempt from "192.168.1.34" claiming to be <FONT
color=red><B>MailScanner warning: numerical links are often malicious:
192.168.1.34</A>
(that is my IP behind my firewall)<BR>
leftnexthop=%defaultroute<BR>
leftid=<A
href="mailto:jave27@gmail.com">jave27@gmail.com</A><BR>
right=<my_server_ip><BR>
rightsubnet=<A
href="http://192.168.0.0/24"></B></FONT></B></FONT></B></FONT></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.0.0" claiming to be</b></font> <font color="red"><b>MailScanner has detected a possible fraud attempt from "192.168.0.0" claiming to be <FONT
color=red><B>MailScanner has detected a possible fraud attempt from
"192.168.0.0" claiming to be <FONT color=red><B>MailScanner has detected a
possible fraud attempt from "192.168.0.0" claiming to be <FONT
color=red><B>MailScanner warning: numerical links are often malicious:
192.168.0.0/24</A><BR> rightid=@<A
href="http://gmail.com">gmail.com</A><BR>
aggrmode=yes<BR>
auto=add<BR>
ike=3des-sha1<BR> pfs=yes<BR><BR>I've
tried all sorts of combinations, adding other options, getting rid of almost all
of them, but nothing seems to work. Any tips or pointers to the right
direction would be spectacular. Thanks in advance!<BR><BR>-- <BR>This
message has been scanned for viruses and <BR>dangerous content by <A
href="http://www.mailscanner.info/"></B><B>MailScanner</A>, and is <BR>believed
to be clean. <BR>MailScanner thanks <A
href="http://www.transtec.co.uk/">transtec Computers</A> for their support.
</B></FONT></B></FONT></B></FONT></BODY></HTML>