<span class="q">I really appreciate all your help.<br><br>On Tue, 14 Nov 2006, I wrote:<br><br></span><span class="q">> trying to connect to a Cisco (no idea what model), we get to this:<br>> Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
<br>> Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN<br>><br>> The owner of the Cisco thing tell us that cisco doesn't like quick mode, and<br>> that we have to disable quick mode in openswan.
<br>><br></span>> Does this sound right? And if yes, how would I do it?
<span class="q"><br><br></span><span class="gmail_quote"><span class="q">On 11/14/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
paul@xelerance.com</a>> wrote:
</span></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><span class="q"></span><span class="q">Ask the cisco person for the following:
<br><br>Mode (main or aggressive)<br>PFS (yes or no)<br>Phase 1 (3des/aes md5/sh1)<br>Phase 2 (3des/aes md5/sh1)
<br>modp (aka DiffieHellman) group<br>src/dst (aka left/right) type and value of ID's (IP, string, X.509 DN)<br>subnets for srd/st (aka left/right)</span></blockquote><div><br>Re Mode: We're using main mode, and get through all 4 states, up to
<br><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
<br></blockquote></div>And then to I1.<br>I'd assume the main mode is right -- could it still be "aggressive" instead?<br><br>Still trying to get the other params...<br><br><br><div><span class="q"><span class="gmail_quote">
On 11/14/06, <b class="gmail_sendername">Andy Gay</b> <<a href="mailto:andy@andynet.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">andy@andynet.net</a>> wrote:</span></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<span class="q"></span><span class="q">> Does this sound right?
<br>No. Quick mode is also called phase 2, it's where the IPsec SA gets set<br>up.</span></blockquote><div><br>That's what I suspected. <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<span class="q">As with the previous poster, you evidently have a mismatch with your<br>phase 2 parameters. Check that everything matches.</span></blockquote><div><br>OK. <br></div><br></div><div><span class="q" id="q_10ee7abbcb7a78d2_14">
<br><div><span class="gmail_quote">On 11/14/06, <b class="gmail_sendername">Peter McGill</b> <<a href="mailto:petermcgill@goco.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">petermcgill@goco.net
</a>> wrote:</span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">You obviously have your authentication (phase 1/main mode) configuration
<br>alright, now you need to match your encryption/tunnel/ipsec/phase 2/quick mode,<br>configurations.<br>if you have an ike= line in your openswan conf, try adding a similar esp= line.<br>For example,<br>if ike=3des-sha1-modp1024
<br>set esp=3des-sha1<br>The real problem is the "NO_PROPOSAL_CHOSEN" which means your<br>not aggreeing on what encryption method to use.<br>What does your ISAKMP SA established log line say?<br>Use the same encryption method in your esp line.
</blockquote><div><br> From that log line (quoted above) I get<br><ul><li>auth=OAKLEY_PRESHARED_KEY</li><li>cipher=oakley_3des_cbc_192</li><li>prf=oakley_sha</li><li>group=modp1024</li></ul></div>There's no ike line (I don't think openswan
2.4.4 supports it). I tried adding esp=3des-sha1, but with no luck (still stalls at STATE_QUICK_I1). What should it be?<br><br>Thanks again,<br>/Christian<br></div></span></div><br>