[Openswan Users] Netscreen rejecting Phase 2 porposals from openswan

[Michael Tinsay]

  Hi all,
  
  I'm stuck here in trying to make openswan connect to a netscreen 5xt  appliance.  Phase 1 is being accomplished, but fails on Phase 2  with the netscreen log indicating  "IKE<w.x.y.z> Phase 2: Rejected proposals from peer. Negotiations failed."
  
  My ipsec.conf:
  
  conn weroam01
          auto=add
          pfs=yes
          authby=secret
          keyingtries=3
          aggrmode=yes
          ike=3des-sha1-modp1024
          #
          # left side = local
          left=%defaultroute
          leftsubnet=192.168.2.0/24
          leftid=@road.warrior
          #
          # right side = netscreen
          right=a.b.c.d
          rightsubnet=10.200.2.0/24
          rightid=@head.office
  
  
  From the netscreen webui, here are the acceptable proposals:
  
    Name  PFS  Encap.  Encrypt/Auth  Life Time  Life Size  Configure      nopfs-esp-des-md5  No PFS  ESP  DES/MD5  3600  0         nopfs-esp-des-sha  No PFS  ESP  DES/SHA  3600  0         nopfs-esp-3des-md5  No PFS  ESP  3DES/MD5  3600  0         nopfs-esp-3des-sha  No PFS  ESP  3DES/SHA  3600  0         nopfs-esp-aes128-md5  No PFS  ESP  AES128/MD5  3600  0         nopfs-esp-aes128-sha  No PFS  ESP  AES128/SHA  3600  0         g2-esp-des-md5  DH Group 2  ESP  DES/MD5  3600  0         g2-esp-des-sha  DH Group 2  ESP  DES/SHA  3600  0         g2-esp-3des-md5  DH Group 2  ESP  3DES/MD5  3600  0         g2-esp-3des-sha  DH Group 2  ESP  3DES/SHA  3600  0         g2-esp-aes128-md5  DH Group 2  ESP  AES128/MD5  3600  0         g2-esp-aes128-sha  DH Group 2  ESP  AES128/SHA  3600  0        
  
  Any help is greatly appreciated.
  
  Thanks in advance.
  
  
  --- mike t.
  

Send instant messages to your online friends http://uk.messenger.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051207/44822f15/attachment.htm