<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 03/09/2010 02:25 PM, Michael H. Warfield wrote:
<blockquote cite="mid:1268162728.8210.280.camel@localhost" type="cite">
<pre wrap="">Hey Paul,
On Tue, 2010-03-09 at 13:56 -0500, Paul Wouters wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Tue, 9 Mar 2010, Avesh Agarwal wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
</pre>
</blockquote>
<pre wrap="">Exactly what it says that your cisco does not like the proposals
sent by openswan end. Verify your cisco side settings (encryption
lago, hash algo and DH groups) with the ones you set with openswan
and see if there is any mismatch.
</pre>
</blockquote>
<pre wrap="">Thanks Avesh. I'm looking. But I can't see the mismatch yet. The Cisco (I'm
told) is set like this:
IPsec Phase I: pre-g2-3des-sha-86400s
IPsec Phase II: pfs2-esp-3des-sha-28800s
</pre>
</blockquote>
<pre wrap="">Is this DH group 2? Also I think "esp" is being obsolete, so dont use
that. Well, you can try following:
phase2=esp
phase2alg=3DES-SHA1;modp1024
</pre>
</blockquote>
</blockquote>
<pre wrap="">
</pre>
<blockquote type="cite">
<pre wrap="">The specs also did not mention whether to use Main Mode or Aggressive Mode.
If this fails, try adding aggrmode=yes
</pre>
</blockquote>
<pre wrap="">
AFAICT, with those Cisco ASA's that's going to be a given. Certainly,
that's all vpnc supports and that's the designated client for them.
Recursing back to earlier discussions around this, the whole single
proposal thing seems problematical and a theme in a number of these
calls, once you get into aggressive mode. We now know that we can, in
fact, generate multiple proposals, provided the DH group is at least
kept constant, since that's what vpnc is doing. Fixing that would seem
to cover a wealth of sins with these Cisco boxes. Any hope for that?
</pre>
</blockquote>
Mostly I have noticed that "encryption-hash" algo proposal is not the
problem when communicating with Cisco boxes, because in general,
administrators configure more than one "encryption-hash" proposals to
choose from. So mostly the mismatch is DH group in phase 2 (quick mode)
that can not be negotiated as per the RFC, and a client must configure
exactly what the server wants. <br>
<br>
Sometime this may not be a problem, when the server is initiating the
phase2 so that client knows which DH group the server is expecting (it
seems like something how vpnc does). However, in Openswan, if client
initiates first phase, most probably the client initiates the phase 2
too, and then Openswan client has to make a choice (or guess based on
first phase DH group) what server might expect. If somehow, the server
has configured "different" DH groups for phase 1 and phase 2, mostly
you will get "NO_PROPOSAL_CHOSEN" message. <br>
<br>
One way to deal with this may be to "retry" with different DH group if
the first one fails, or to wait little bit so that server can initiate
the phase 2.<br>
<br>
In summary, I feel that this is not an Openswan issue, but the way
standard works.<br>
<br>
My 2 cents.<br>
<br>
Avesh<br>
<blockquote cite="mid:1268162728.8210.280.camel@localhost" type="cite">
<pre wrap="">I'm looking at some other aggressive mode and config server issues but I
stuck my nose into that particular stretch of code in pluto and it
looked a little on the intimidating side to to just roll my sleeves up
and dig into.
</pre>
<blockquote type="cite">
<pre wrap="">Paul
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>