<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-CA link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You’re getting </span>NO_PROPOSAL_CHOSEN<span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>, which means your openswan and cisco configs don’t match, check your encryption algs and subnets match on both ends.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Here’s my working Openswan/Cisco config for example:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Note: Cisco doesn’t support RSA without certificates so I used PSK, as you have also done.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Note: All indents in openswan should be a single tab not multiple spaces, multiple spaces can cause problems.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Openswan ipsec.conf:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>version 2.0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>config setup<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> protostack=netkey<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> oe=no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> nhelpers=0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>conn stmarys-london # you can put all parameters in single conn definition, I used multiple with also= to make changing multiple connection easier.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> also=goco<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> also=london<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> leftsubnet=172.21.0.0/20<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> also=stmarys<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> rightsubnet=172.21.1.0/24<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> auto=start<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>conn london<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> left=207.x.y.18<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> leftsourceip=172.21.3.65<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> leftrsasigkey=0sAQ… # you can ignore this line it’s there to connect to other openswan sites, it’s ignored by stmarys cisco connection.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>conn stmarys<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> right=207.x.y.245<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> authby=secret<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>conn goco<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> ike=aes128-sha1;modp2048 # I also have a lower model cisco switch conn which uses modp1536, since it doesn’t support modp2048.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> phase2=esp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> phase2alg=aes128-sha1;modp2048<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> ikev2=no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> dpddelay=30<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> dpdtimeout=120<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> dpdaction=restart<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Openswan ipsec.secrets:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>207.x.y.18 207.x.y.245 : PSK "TG…"<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cisco config:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>version 15.1 # for reference<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>crypto isakmp policy 10<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> encr aes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> authentication pre-share<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> group 14<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> lifetime 3600<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>crypto isakmp key TG… address 207.x.y.18 no-xauth<o:p></o:p></span></p><p class=MsoNormal><span lang=FR style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>crypto isakmp aggressive-mode disable<o:p></o:p></span></p><p class=MsoNormal><span lang=FR style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>crypto ipsec transform-set aesset esp-aes esp-sha-hmac<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>crypto map static-map 15 ipsec-isakmp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> set peer 207.x.y.18<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> set security-association lifetime seconds 28800<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> set transform-set aesset<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> set pfs group14<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> match address 133<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>interface Dialer0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> description $FW_OUTSIDE$<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> ip address negotiated<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> ip access-group 104 in<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> crypto map static-map<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>!<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>access-list 104 permit udp any host 207.x.y.245 eq isakmp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>access-list 104 permit esp any host 207.x.y.245<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>access-list 104 permit udp host 207.x.y.18 host 207.x.y.245 eq non500-isakmp<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>access-list 104 permit ip host 207.x.y.18 host 207.x.y.245<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>access-list 133 permit ip 172.21.1.0 0.0.0.255 172.21.0.0 0.0.15.255<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Peter McGill<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Systems Analyst and Administrator<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Gra Ham Energy Limited<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> users-bounces@lists.openswan.org [mailto:users-bounces@lists.openswan.org] <b>On Behalf Of </b>Sam<br><b>Sent:</b> February-01-12 5:21 AM<br><b>To:</b> users@openswan.org; users@lists.openswan.org<br><b>Subject:</b> [Openswan Users] Max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Hi,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I have successfully installed Openswan but there seem to an issue with the connection to the Cisco VPN. From the logs am seeing something like "<b>No acceptable response to our first Quick Mode message: perhaps peer likes no proposal</b>".<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Below is the full log and my config. I will really appreciate your help.<o:p></o:p></p></div><div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>###################### CONFIG #############################<o:p></o:p></p></div><div><p class=MsoNormal>config setup <o:p></o:p></p></div><div><p class=MsoNormal> interfaces=%defaultroute<o:p></o:p></p></div><div><p class=MsoNormal> plutoopts="--perpeerlog"<o:p></o:p></p></div><div><p class=MsoNormal> protostack=netkey<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>conn VPNCon<o:p></o:p></p></div><div><p class=MsoNormal> type=tunnel<o:p></o:p></p></div><div><p class=MsoNormal> authby=secret<o:p></o:p></p></div><div><p class=MsoNormal> Ikelifetime=86400s<o:p></o:p></p></div><div><p class=MsoNormal> phase2=esp<o:p></o:p></p></div><div><p class=MsoNormal> Phase2alg=3des-md5;modp1536<o:p></o:p></p></div><div><p class=MsoNormal> lifetime=3600s<o:p></o:p></p></div><div><p class=MsoNormal> forceencaps=yes<o:p></o:p></p></div><div><p class=MsoNormal> pfs=no<o:p></o:p></p></div><div><p class=MsoNormal> keyexchange=ike<o:p></o:p></p></div><div><p class=MsoNormal> left=1.2.3.4<o:p></o:p></p></div><div><p class=MsoNormal> leftnexthop=%defaultroute<o:p></o:p></p></div><div><p class=MsoNormal> right=5.6.7.8<o:p></o:p></p></div><div><p class=MsoNormal> rightnexthop=%defaultroute<o:p></o:p></p></div><div><p class=MsoNormal> rekey=yes<o:p></o:p></p></div><div><p class=MsoNormal> remote_peer_type=cisco<o:p></o:p></p></div><div><p class=MsoNormal> auto=start<o:p></o:p></p></div><div><p class=MsoNormal>###################################################<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>###################### CONFIG #############################<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 ipsec__plutorun: Starting Pluto subsystem...<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:12241<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: LEAK_DETECTIVE support [disabled]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: OCF support for IKE [disabled]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: SAref support [disabled]: Protocol not available<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: SAbind support [disabled]: Protocol not available<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: NSS support [disabled]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: HAVE_STATSD notification support not compiled in<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Setting NAT-Traversal port-4500 floating to on<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: port floating activation criteria nat_t=1/port_float=1<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: NAT-Traversal support [enabled]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: using /dev/urandom as source of random entropy<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: starting up 1 cryptographic helpers<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12248]: using /dev/urandom as source of random entropy<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: started helper pid=12248 (fd:6)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Using Linux 2.6 IPsec interface code on 2.6.18-194.17.1.el5 (experimental code)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_add(): ERROR: Algorithm already exists<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Changed path to directory '/etc/ipsec.d/cacerts'<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Changed path to directory '/etc/ipsec.d/aacerts'<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Changed path to directory '/etc/ipsec.d/ocspcerts'<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Changing to directory '/etc/ipsec.d/crls'<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: Warning: empty directory<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:16 box1 pluto[12241]: added connection description "VPNCon"<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: listening for IKE messages<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:500<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: adding interface eth0/eth0 1.2.3.4.5:4500<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: adding interface lo/lo <a href="http://127.0.0.1:500">127.0.0.1:500</a><o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: adding interface lo/lo <a href="http://127.0.0.1:4500">127.0.0.1:4500</a><o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: adding interface lo/lo ::1:500<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: loading secrets from "/etc/ipsec.secrets"<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: initiating Main Mode<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108 <o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I2: sent MI2, expecting MR2<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [Cisco-Unity]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [Dead Peer Detection]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: ignoring unknown Vendor ID payload [3c1f79790ca4ddd867fa2623b80ac34b]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: received Vendor ID payload [XAUTH]<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:17 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I3: sent MI3, expecting MR3<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: Main mode peer ID is ID_IPV4_ADDR: '5.6.7.8'<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:6ca6f49a proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:55:18 box1 pluto[12241]: "VPNCon" #1: received and ignored informational message<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #2: starting keying attempt 2 of an unlimited number<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #2 {using isakmp#1 msgid:91d29c32 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:56:28 box1 pluto[12241]: "VPNCon" #1: received and ignored informational message<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #3: starting keying attempt 3 of an unlimited number<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #3 {using isakmp#1 msgid:fd01f2eb proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000<o:p></o:p></p></div><div><p class=MsoNormal>Feb 1 10:57:38 box1 pluto[12241]: "VPNCon" #1: received and ignored informational message<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>###################################################<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></body></html>