[Openswan Users]
connection between isampd and ipsec on linux and this error:
"ignoring informational payload, type NO_PROPOSAL_CHOSEN"
foren titze
freeswan at gmx.net
Wed Jan 21 17:13:49 CET 2004
hello,
i tried to connect from the isakmpd client on debian linux to an ipsec server
on linux too.
so i get this message at ipsec barf:
---
Jan 21 16:45:06 vpn-gate pluto[7467]: packet from 213.11.44.34:500: Quick Mode
message is for a non-existent (expired?) ISAKMP SA
Jan 21 16:45:15 vpn-gate pluto[7467]: packet from 213.11.44.34:500: Quick Mode
message is for a non-existent (expired?) ISAKMP SA
Jan 21 16:45:26 vpn-gate pluto[7467]: packet from 213.11.44.34:500: Quick Mode
message is for a non-existent (expired?) ISAKMP SA
Jan 21 16:45:37 vpn-gate pluto[7467]: packet from 213.11.44.34:500:
Informational Exchange is for an unknown (expired?) SA
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #1: responding to Main
Mode
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #1: Main mode peer ID is
ID_IPV4_ADDR: '213.11.44.34'
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #1: sent MR3, ISAKMP SA
established
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #2: responding to Quick
Mode
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
Jan 21 16:45:41 vpn-gate pluto[7467]: "testing-sub" #1: received and ignored
informational message
Jan 21 16:45:51 vpn-gate pluto[7467]: "testing-sub" #1: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
-----
it should run with psk. i filled the ipsec.secrets with
162.96.19.156 213.11.44.34 : PSK "test222"
the other files are attached!
could aynone help me? thx
-------------- next part --------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
#version 2
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
plutoload=%search
plutostart=%search
#overridemtu=1000
conn %default
keyingtries=1
conn testing-sub
also=testing
leftsubnet=192.168.121.0/24
rightsubnet=192.168.0.0/24
#auto=add
conn testing
authby=secret
right=213.11.44.34
leftfirewall=no
rightfirewall=no
rightnexthop=213.11.44.1
left=162.96.19.156
leftnexthop=162.96.19.130
auto=add
-------------- next part --------------
KeyNote-Version: 2
Comment: This policy accepts ESP SAs from a remote that uses the right password
$OpenBSD: policy,v 1.6 2001/06/20 16:36:19 angelos Exp $
$EOM: policy,v 1.6 2000/10/09 22:08:30 angelos Exp $
Authorizer: "POLICY"
Licensees: "vpn-server-test"
Conditions: app_domain == "IPsec policy" &&
esp_present == "yes" &&
esp_enc_alg == "null" &&
remote_id_type == "IPv4 address" &&
esp_encapsulation == "tunnel" -> "true";
KeyNote-Version: 2
Comment: testverbindung
Licensees: "passphrase:test222"
Authorizer: "vpn-server-test"
Conditions: remote_negotiation_address == "162.096.019.156" &&
remote_id == "162.096.019.156" &&
remote_filter_type == "IPv4 subnet" &&
local_filter_type == "IPv4 subnet" -> "true";
-------------- next part --------------
# $OpenBSD: VPN-east.conf,v 1.13 2003/03/16 08:13:02 matthieu Exp $
# $EOM: VPN-east.conf,v 1.12 2000/10/09 22:08:30 angelos Exp $
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
#
# The network topology of the example net is like this:
#
# 192.168.11.0/24 - west [.11] - 10.1.0.0/24 - [.12] east - 192.168.12.0/24
#
# "west" and "east" are the respective security gateways (aka VPN-nodes).
[General]
Listen-on= 213.11.44.34
[Phase 1]
162.96.19.156= ISAKMP-vpn-server-test
[Phase 2]
Connections= testing
[ISAKMP-vpn-server-test]
Phase= 1
Transport= udp
Address= 162.96.19.156
Local-address= 213.11.44.34
Configuration= Default-main-mode
Authentication= test222
[testing]
Phase= 2
ISAKMP-peer= ISAKMP-vpn-server-test
Configuration= Default-quick-mode
Local-ID= Net-east
Remote-ID= Net-west
#Local-ID
[Net-west]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.121.0
Netmask= 255.255.255.0
[Net-east]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.0.0
Netmask= 255.255.255.0
#######################
#Main mode description
########################
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= ID_PROT
Transforms= 3DES-MD5
# Quick mode description
########################
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-3DES-MD5-PFS-SUITE
#Quick mode protection suites
##############################
# 3DES
[QM-ESP-3DES-MD5-PFS-SUITE]
Protocols= QM-ESP-3DES-MD5-PFS
[QM-ESP-3DES-MD5-SUITE]
Protocols= QM-ESP-3DES-MD5
# Quick mode protocols
#############################
# 3DES
[QM-ESP-3DES-MD5-PFS]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-PFS-XF
[QM-ESP-3DES-MD5]
PROTOCOL_ID= IPSEC_ESP
Transforms= QM-ESP-3DES-MD5-XF
# Quick mode transforms
#############################
# 3DES
[QM-ESP-3DES-MD5-PFS-XF]
TRANSFORM_ID= 3DES
ENCAPSULATION_MODE= TUNNEL
AUTHENTICATION_ALGORITHM= HMAC_MD5
GROUP_DESCRIPTION= MODP_1024
Life= LIFE_600_SECS
[QM-ESP-3DES-MD5-XF]
Life= LIFE_600_SECS
[LIFE_600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 600,450:720
[LIFE_3600_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 3600,1800:7200
[LIFE_86400_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 86400,42200:101500
[LIFE_28800_SECS]
LIFE_TYPE= SECONDS
LIFE_DURATION= 28800,14400:43000
More information about the Users
mailing list