<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7653.38">
<TITLE>perhaps peer likes no proposal</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Hey guys,<BR>
I have been struggling with this for a few days now. I've become thoroughly stuck on this on what I believe may be phase2.<BR>
<BR>
I am trying to connect openswan-2.6.19 [left] (and openswan-2.6.19 upto the .19 release) to a WatchGuard Firebox [right].<BR>
<BR>
Many releases ago, this was once possible: <A HREF="http://wiki.openswan.org/index.php/Interop/InteroperatingWatchguard">http://wiki.openswan.org/index.php/Interop/InteroperatingWatchguard</A><BR>
<BR>
Unfortunately following many tutorials and the Paul and Ken book has still left me in the dark.<BR>
<BR>
I have been on the #openswan irc channel and they suggested that "perhaps peer likes no proposal" means I'm not matching IKE or ESP properly. I've checked, double checked, and thrice checked both ends, but I'm still getting stuck.<BR>
<BR>
Settings-wise what is still a mystery to me is the tunnel settings. On the Watchguard end, its configured to give me the virtual IP of a.b.c.d, which puts me on the network w.x.y.z/24. I've tried various rightnexthop/rightsubnet settings, but that does not appear to make any changes to the connection. Am I barking up the wrong tree? Does the tunnel have anything to do with "perhaps peer likes no proposal"?<BR>
<BR>
Any explinations of what the following means would also be much appreciated. I.e. what is STATE_AGGR_I2 trying to achieve?<BR>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2<BR>
localhost pluto[27033]: "myvpn" #1: discarding duplicate packet -- exhausted retransmission; already STATE_AGGR_I2<BR>
<BR>
Thank you in advance guys and gals.<BR>
<BR>
Tudor<BR>
<BR>
# /etc/ipsec.conf - Openswan IPsec configuration file<BR>
version 2.0 # conforms to second version of ipsec.conf specification<BR>
<BR>
config setup<BR>
interfaces=%defaultroute<BR>
nat_traversal=yes<BR>
OE=off<BR>
protostack=netkey<BR>
uniqueids=yes<BR>
<BR>
conn myvpn<BR>
pfs=yes<BR>
authby=secret<BR>
type=tunnel<BR>
aggrmode=yes<BR>
keyexchange=ike<BR>
auth=esp<BR>
ike=aes256-sha1-modp1024<BR>
esp=aes256-sha1;modp1024<BR>
left=10.0.0.128<BR>
leftsubnet=10.0.0.0/24<BR>
leftnexthop=10.0.0.138<BR>
leftid=my@id.com<BR>
right=<vpn.public.ip><BR>
#rightnexthop=a.b.c.d<BR>
rightsubnet=w.x.y.z/24<BR>
rightid=<vpn.public.ip><BR>
auto=start<BR>
<BR>
The output was from rel 2.6.18, but I get the same from 2.6.19.<BR>
<BR>
/var/log/messages<BR>
<BR>
localhost pluto[26477]: shutting down<BR>
localhost pluto[26477]: forgetting secrets<BR>
localhost pluto[26477]: "myvpn": deleting connection<BR>
localhost pluto[26477]: "myvpn" #1: deleting state (STATE_AGGR_I2)<BR>
localhost pluto[26477]: "myvpn": request to delete a unrouted policy with netkey kernel --- experimental<BR>
localhost pluto[26477]: shutting down interface lo/lo ::1:500<BR>
localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:4500<BR>
localhost pluto[26477]: shutting down interface lo/lo 127.0.0.1:500<BR>
localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:4500<BR>
localhost pluto[26477]: shutting down interface eth0/eth0 10.0.0.128:500<BR>
localhost ipsec__plutorun: Starting Pluto subsystem...<BR>
localhost pluto[27033]: Starting Pluto (Openswan Version 2.6.18; Vendor ID OE}ZvZ@M[OWD) pid:27033<BR>
localhost pluto[27033]: Setting NAT-Traversal port-4500 floating to on<BR>
localhost pluto[27033]: port floating activation criteria nat_t=1/port_float=1<BR>
localhost pluto[27033]: including NAT-Traversal patch (Version 0.6c)<BR>
localhost pluto[27033]: using /dev/urandom as source of random entropy<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)<BR>
localhost pluto[27033]: starting up 1 cryptographic helpers<BR>
localhost pluto[27034]: using /dev/urandom as source of random entropy<BR>
localhost pluto[27033]: started helper pid=27034 (fd:7)<BR>
localhost pluto[27033]: Using Linux 2.6 IPsec interface code on 2.6.26.5-28.fc8 (experimental code)<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
localhost pluto[27033]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names<BR>
localhost pluto[27033]: ike_alg_add(): ERROR: Algorithm already exists<BR>
localhost pluto[27033]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)<BR>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/cacerts'<BR>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/aacerts'<BR>
localhost pluto[27033]: Changed path to directory '/etc/ipsec.d/ocspcerts'<BR>
localhost pluto[27033]: Changing to directory '/etc/ipsec.d/crls'<BR>
localhost pluto[27033]: Warning: empty directory<BR>
localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such file or directory)<BR>
localhost pluto[27033]: Changing back to directory '/tmp' failed - (2 No such file or directory)<BR>
localhost pluto[27033]: added connection description "myvpn"<BR>
localhost pluto[27033]: listening for IKE messages<BR>
localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:500<BR>
localhost pluto[27033]: adding interface eth0/eth0 10.0.0.128:4500<BR>
localhost pluto[27033]: adding interface lo/lo 127.0.0.1:500<BR>
localhost pluto[27033]: adding interface lo/lo 127.0.0.1:4500<BR>
localhost pluto[27033]: adding interface lo/lo ::1:500<BR>
localhost pluto[27033]: loading secrets from "/etc/ipsec.secrets"<BR>
localhost pluto[27033]: "myvpn": request to add a prospective erouted policy with netkey kernel --- experimental<BR>
localhost pluto[27033]: "myvpn" #1: initiating Aggressive Mode #1, connection "myvpn"<BR>
localhost pluto[27033]: | setting sec: 1<BR>
localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [Dead Peer Detection]<BR>
localhost pluto[27033]: "myvpn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<BR>
localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '<vpn.public.ip>'<BR>
localhost pluto[27033]: "myvpn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<BR>
localhost pluto[27033]: "myvpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '<vpn.public.ip>'<BR>
localhost pluto[27033]: "myvpn" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2<BR>
localhost pluto[27033]: "myvpn" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}<BR>
localhost pluto[27033]: "myvpn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:131f6317 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2<BR>
localhost pluto[27033]: "myvpn" #1: retransmitting in response to duplicate packet; already STATE_AGGR_I2<BR>
localhost pluto[27033]: "myvpn" #1: discarding duplicate packet -- exhausted retransmission; already STATE_AGGR_I2<BR>
localhost pluto[27033]: "myvpn" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR>
localhost pluto[27033]: "myvpn" #2: starting keying attempt 2 of at most 3<BR>
Nov 21 18:02:42 localhost pluto[27033]: "myvpn" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #2 {using isakmp#1 msgid:bd4d55d2 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>
localhost pluto[27033]: "myvpn" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<BR>
localhost pluto[27033]: "myvpn" #3: starting keying attempt 3 of at most 3<BR>
localhost pluto[27033]: "myvpn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #3 {using isakmp#1 msgid:947f04f5 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}<BR>
localhost pluto[27033]: "myvpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal</FONT></P>
<BR>
- --------------------------------------------------------------------<BR>
http://www.aardman.com<BR>
<BR>
______________________________________________________________________<BR>
This message has been checked for all known viruses by the MessageLabs<BR>
</BODY>
</HTML>