[Openswan Users] AES-256 SHA1 Group2

[Paul Wouters]

On Sat, 12 Mar 2005, Xian Zhang wrote:

> I am trying to set up a VPN connection between openswan and checkpoint. I use AES-256, SHA-1, and Diffie-Hellman Group2
>
> I couldn't get phase 1 come up, any help would be greatly appreciated.

> conn TestConnection
>        left=149.xxx.xxx.204
>        leftsubnet=172.xxx.xxx.0/24
>        leftnexthop=149.xxx.xxx.205
>        right=203.xxx.xxx.205
>        rightsubnet=10.xxx.xxx.0/24
>        rightnexthop=%defaultroute
>        ike=aes256-sha!
>        esp=aes256-sha1!

Don't use the old exclamation mark notation. Specifying anything on the
esp= or ike= line is always "restrictive". That is, no other proposals
will be allowed.
Also, do not use 'sha' for 'sha1'. Sha is currently an alias for sha1, but
should not be used with the impeding newer versions of sha (eg sha256).

Also try adding the DH/modp group to your ike/esp line, eg ike=aes256-sha1=modp1024
You can also specifify 'pfsgroup=modp1024' to set the DH group for phase 1 and 2.

> Mar 12 10:17:32 vpngateway ipsec__plutorun: 104 "TestConnection" #1: STATE_MAIN_I1: initiate
> Mar 12 10:17:32 vpngateway ipsec__plutorun: ...could not start conn "TestConnection"

> Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: initiating Main Mode
> Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: received and ignored informational message
> Mar 12 10:30:42 vpngateway pluto[17701]: "TestConnection" #1: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (
> or no acceptable response) to our first IKE message

the other end is rejecting your first proposal, probably because you did not specify
the exact DH group it wanted.
One way of debugging this is to have the other end initiate to you, and see what it
requests to Openswan to use as parameters.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton