[Openswan Users] Openswan (2.1.5) to PIX 515 problems
Paul Wouters
paul at xelerance.com
Thu Mar 3 22:35:23 CET 2005
On Thu, 3 Mar 2005, James Thompson wrote:
> Trying to make this:
>
> 10.0.8.0/24===192.168.0.160---192.168.0.129---192.168.111.20===10.111.66
> .0/24
> It never connects and I find a NO_PROPOSAL_CHOSEN message in my secure
> log.
> When my ipsec.conf is set (with no changes on the PIX side) to:
>
> left=192.168.0.160
>
> leftnexthop=192.168.0.129
>
> leftsubnet=10.0.7.0/24
>
>
>
> The connection is established, however, no packets will route. I assume
> this is because the PIX side is looking for the 10.0.8.0/24 subnet.
Odd.
>
> PIX config file http://users.dls.net/~jim/pix.txt
>
> Ipsec.conf http://users.dls.net/~jim/ipsec_conf.txt
>
> Unsuccessful connect log (correct leftsubnet)
> http://users.dls.net/~jim/broken_log.txt
I see (without debugs):
Mar 3 12:27:37 localhost pluto[27183]: "s2s_naic_01" #1: ISAKMP SA established
Mar 3 12:27:37 localhost pluto[27183]: "s2s_naic_01" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 3 12:27:43 localhost pluto[27183]: "s2s_naic_01" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 3 12:27:45 localhost pluto[27183]: "s2s_naic_01" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
The remote is rejecting your connection. I can see isakmp acceptable
policies in there, but we do get a successlful isakmp. I don't see any
phase 2 (ESP) options there. So, taking a wilde guess, you can try:
1) add pfs=no
2) add esp=3des-md5
Or, to see what the pix want, perhaps you can let it initiate to openswan,
so we see what it is asking for.
Paul
> Successful connect log (incorrect leftsubnet)
> http://users.dls.net/~jim/working_log.txt
>
>
>
>
>
>
--
"At best it is a theory, at worst a fantasy" -- Michael Crichton
More information about the Users
mailing list