[Openswan Users] QuickMode-Error: peer likes no proposal

Jacco de Leeuw jacco2 at dds.nl
Sat Apr 16 01:11:29 CEST 2005 

Andreas Schneider wrote:

> I am new with OpenSwan (and even Linux). I am using Suse Linux 9.1 and
> OpenSwan 2.3.0. on a Nootebook. I am trying to make a
> roadwarrior-connection to an Windows 2003 Server with IPsec/L2TP.

None of these is behind NAT, right? Because you seem to be using the VPN
on a wireless LAN, and NAT is unusual for that.
I'm just asking because NAT complicates things to some extent.

> I know, it's not polite to send such big mails to a list, 

You could always upload the files to some website and post the links.

> conn wlanfhjena
>        auth=esp
>        authby=rsasig
>        pfs=no
>        left=194.94.37.4
>        leftrsasigkey=%cert
>        leftprotoport=17/1701
>        leftid="root-CA ID"

This can't be right. It seems unlikely that the Windows server is using
the root certificate for its authentication. Normally the CA (which may
even be the same Windows server) issues a separate certificate for the
server.

I suggest you copy the root certificate to /etc/ipsec.d/cacerts/
and then use leftid="server-CA ID" or something like that.

>        right=%defaultroute
>        rightrsasigkey=%cert
>        rightprotoport=17/0

Windows 2003 wants you to use rightprotoport=17/1701 here.

Some other tips can be found at:
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Client

> Now I am getting this error, but I can't understand it.
> Google is'nt really helpful: The most user guides are about connecting a
> Win-client to an OpenSwan-Server. But here's a Suse-client and a Win-Server
> (pfs,esp, etc.).

Well, that's probably because Windows VPN servers are fairly rare :-).
People rather prefer Linux, Unix or dedicated hardware!

> Apr 14 16:20:44 suse pluto[4199]: "wlanfhjena" #1: ignoring
> informational payload, type INVALID_ID_INFORMATION

The other side is rejecting the authentication. If the suggestions
mentioned above don't work, you could ask the admins of the Windows
server to look in their logs.

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list