[Openswan Users]
Paul Wouters
paul at xelerance.com
Wed Dec 7 17:08:53 CET 2005
On Wed, 7 Dec 2005, Michael Tinsay wrote:
> I'm stuck here in trying to make openswan connect to a netscreen 5xt appliance. Phase 1 is being accomplished, but fails on Phase 2 with the netscreen log indicating "IKE<w.x.y.z> Phase 2: Rejected proposals from peer. Negotiations failed."
>
> My ipsec.conf:
>
> conn weroam01
> auto=add
> pfs=yes
> authby=secret
> keyingtries=3
> aggrmode=yes
> ike=3des-sha1-modp1024
You should specify an esp= line as well.
> # left side = local
> left=%defaultroute
> leftsubnet=192.168.2.0/24
> leftid=@road.warrior
> #
> # right side = netscreen
> right=a.b.c.d
> rightsubnet=10.200.2.0/24
> rightid=@head.office
>
>
> From the netscreen webui, here are the acceptable proposals:
>
> Name PFS Encap. Encrypt/Auth Life Time Life Size Configure
nopfs-esp-3des-md5
That needs another pfs=no and add esp=3des-md5
Paul
More information about the Users
mailing list