[Openswan dev] XAUTH Code for "Domain"

Michael H. Warfield mhw at WittsEnd.com
Tue Jul 5 18:33:38 EDT 2011


On Tue, 2011-07-05 at 18:21 -0400, Paul Wouters wrote: 
> On Tue, 5 Jul 2011, Michael H. Warfield wrote:
> 
> > "Cisco" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> 
> > Really???  Ignore it?  Shouldn't this be a big red letter horns a
> > blaring serious log warning and bitch back through whack and die error?
> > That's a major failure there.  If that's where this problem is, the
> > XAUTH Domain patches are looking better and better.

> Is this past the authentication step? Can you trust that message?

Yes, it's post auth.  We're all the way into the first couple of
quick-mode steps setting up the SA for ESP when it fails.

> Also, what other alternatives do we have then to keep on trying? If this
> is a misconfiguration on the remote end, we're better left trying and
> perhaps they will fix their end.

I don't see we have any alternatives unless we want to try and implement
heuristics in what to try and that wouldn't make sense.  Seems like it's
a misconfiguration on our end but, for the life of me, I can see what it
is.

There's something broken in the phase 2 transaction I'm not
understanding.  I see vpnc is negotiating a phase 2 of AES w/ 256 and
SHA1 without a problem and that's in our proposition list.  I now have 1
ASA that works with us and 3 that refuse to cooperate with the same
configurations and all 4 work with vpnc.

> Paul

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20110705/e2914d04/attachment.bin 


More information about the Dev mailing list