[Openswan Users] Openswan <-> Watchguard Firebox

Lenon Kitchens lenon at sanctuary.org
Sat Nov 19 19:34:23 CET 2005 

Hi folks, I'm having some problems with Openswan and I was hoping someone here could help.

First of all, I'm not a linux newbie by any means, and I have fairly complete knowledge of networking in general.  However, I know very little about the internals of VPN.

My company has a Watchguard machine set up at a colo site.  The windows users seem to be able to communicate with it fine via WUVPN.  

I have a home network behind a Linksys Firewall/Router.  The machine that I'm trying to get connected is set up as a DMZ host.  I really don't know how this should work at all, and so far I've just been guessing, so I'll start with posting my conf and error messages.

/etc/ipsec.conf:

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
    #interfaces="%defaultroute"
    interfaces="ipsec0=ath0"
    nat_traversal=yes

# Add connections here

conn MyCompany
    keyingtries=0
    authby=secret
    left=<Watchguard public IP protected>
    leftnexthop=<Watchguard gateway protected>
    leftsubnet=10.0.2.0/24
	# I've also tried my router's public IP and Gateway for the next two
    right=192.168.1.103
    rightnexthop=192.168.1.1
    rightsubnet=192.168.1.0/24
    auto=add

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

ipsec.secrets
192.168.1.103 <Watchguard IP> : PSK "<PSK protected>"
<Router's Public IP> <Watchguard IP> : PSK "<PSK protected>"

syslog output:
Nov 19 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500: ignoring informational payload, type INVALID_EXCHANGE_TYPE
Nov 19 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500: received and ignored informational message

The above message repeats...

ipsec auto --up MyCompany:
104 "MyCompany" #1: STATE_MAIN_I1: initiate
010 "MyCompany" STATE_MAIN_I1: retransmission; will wait 20s for response
010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s for response
...repeats infinitely...

I don't have admin access (or any access for that matter) to the Watchguard, so I can't give much information from it.  However, I've just been told that the only message appearing in the Watchguard log is: 

Received invalid exchange type. Was expecting Aggressive mode.

I'm using Openswan 2.4.4 which is supposed to support aggressive mode, no?

Thanks in advance for any help offered.

Lenon Kitchens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20051119/621e4acd/attachment.htm

More information about the Users mailing list