[Openswan dev] XAUTH Code for "Domain"

Paul Wouters paul at xelerance.com
Tue Jul 5 19:39:04 EDT 2011

On Tue, 5 Jul 2011, Michael H. Warfield wrote:

>> Is this past the authentication step? Can you trust that message?
> Yes, it's post auth.  We're all the way into the first couple of
> quick-mode steps setting up the SA for ESP when it fails.


>> Also, what other alternatives do we have then to keep on trying? If this
>> is a misconfiguration on the remote end, we're better left trying and
>> perhaps they will fix their end.
> I don't see we have any alternatives unless we want to try and implement
> heuristics

that's why we just keep trying the same thing, and hope the other is "gets fixed".

> in what to try and that wouldn't make sense.  Seems like it's
> a misconfiguration on our end but, for the life of me, I can see what it
> is.
> There's something broken in the phase 2 transaction I'm not
> understanding.  I see vpnc is negotiating a phase 2 of AES w/ 256 and
> SHA1 without a problem and that's in our proposition list.  I now have 1
> ASA that works with us and 3 that refuse to cooperate with the same
> configurations and all 4 work with vpnc.

Make sure you have the right modp. Sometimes Cisco does not like some phase1
thing, but will only silently fail later on. Perhaps you need modp1024 or modp1536
instead of modp2048?


More information about the Dev mailing list