[Openswan dev] XAUTH Code for "Domain"
Michael H. Warfield
mhw at WittsEnd.com
Tue Jul 5 18:33:38 EDT 2011
On Tue, 2011-07-05 at 18:21 -0400, Paul Wouters wrote:
> On Tue, 5 Jul 2011, Michael H. Warfield wrote:
> > "Cisco" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> > Really??? Ignore it? Shouldn't this be a big red letter horns a
> > blaring serious log warning and bitch back through whack and die error?
> > That's a major failure there. If that's where this problem is, the
> > XAUTH Domain patches are looking better and better.
> Is this past the authentication step? Can you trust that message?
Yes, it's post auth. We're all the way into the first couple of
quick-mode steps setting up the SA for ESP when it fails.
> Also, what other alternatives do we have then to keep on trying? If this
> is a misconfiguration on the remote end, we're better left trying and
> perhaps they will fix their end.
I don't see we have any alternatives unless we want to try and implement
heuristics in what to try and that wouldn't make sense. Seems like it's
a misconfiguration on our end but, for the life of me, I can see what it
There's something broken in the phase 2 transaction I'm not
understanding. I see vpnc is negotiating a phase 2 of AES w/ 256 and
SHA1 without a problem and that's in our proposition list. I now have 1
ASA that works with us and 3 that refuse to cooperate with the same
configurations and all 4 work with vpnc.
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20110705/e2914d04/attachment.bin
More information about the Dev