[Openswan Users] Client not accepting proposals openswan receives fine

Paul Wouters paul at xelerance.com
Mon Sep 13 22:12:07 CEST 2004

On Mon, 13 Sep 2004 ljane at xs4all.nl wrote:

> the client is setup to use aes256 with sha hash algorithm. when the SA
> expires on the server and openswan proposes to the client the client does
> not accept one.
> buttt when the SA expires on the client and it proposes to the server the
> server accepts the proposal.
> Very funny and weird, maybe someone could lighten up a bit about this,
> maybe i oversee something?

It will be easier to say what happens if you provide us with some debug
information you can obtain running 'ipsec barf'.

Probably what is happening is that the proposals are not symetrical.
The offer of the client is accepted by openswan, but the proposal from
openswan, which one would expect to be the same as the one it got
earlier, is rejected by the client. But when the client's SA expires,
it becomes the same as a 'new' connection.
Another possibility is that Openswan might be accepting an aggressive
mode (instead of main mode) exchange, but Openswan itself will not
start with aggressive mode.

This could be a bug in either openswan or the client. But an ipsec barf
output could show this.


More information about the Users mailing list