[Openswan Users] Re: Openswan <-> Watchguard Firebox

Lenon Kitchens lenon at sanctuary.org
Sat Nov 19 19:55:15 CET 2005 

Ok, immediately after sending this message I got farther.  Now I'm getting a 
NO_PROPOSAL_CHOSEN error in my syslog.

Any ideas?

Lenon

On Saturday 19 November 2005 7:34 pm, you wrote:
> Hi folks, I'm having some problems with Openswan and I was hoping someone
> here could help.
>
> First of all, I'm not a linux newbie by any means, and I have fairly
> complete knowledge of networking in general.  However, I know very little
> about the internals of VPN.
>
> My company has a Watchguard machine set up at a colo site.  The windows
> users seem to be able to communicate with it fine via WUVPN.
>
> I have a home network behind a Linksys Firewall/Router.  The machine that
> I'm trying to get connected is set up as a DMZ host.  I really don't know
> how this should work at all, and so far I've just been guessing, so I'll
> start with posting my conf and error messages.
>
> /etc/ipsec.conf:
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>     #interfaces="%defaultroute"
>     interfaces="ipsec0=ath0"
>     nat_traversal=yes
>
> # Add connections here
>
> conn MyCompany
>     keyingtries=0
>     authby=secret
>     left=<Watchguard public IP protected>
>     leftnexthop=<Watchguard gateway protected>
>     leftsubnet=10.0.2.0/24
> 	# I've also tried my router's public IP and Gateway for the next two
>     right=192.168.1.103
>     rightnexthop=192.168.1.1
>     rightsubnet=192.168.1.0/24
>     auto=add
>
> #Disable Opportunistic Encryption
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
>
> ipsec.secrets
> 192.168.1.103 <Watchguard IP> : PSK "<PSK protected>"
> <Router's Public IP> <Watchguard IP> : PSK "<PSK protected>"
>
> syslog output:
> Nov 19 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500:
> ignoring informational payload, type INVALID_EXCHANGE_TYPE Nov 19 19:25:27
> malachai pluto[17596]: packet from <Watchguard IP>:500: received and
> ignored informational message
>
> The above message repeats...
>
> ipsec auto --up MyCompany:
> 104 "MyCompany" #1: STATE_MAIN_I1: initiate
> 010 "MyCompany" STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s for
> response 010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s
> for response ...repeats infinitely...
>
> I don't have admin access (or any access for that matter) to the
> Watchguard, so I can't give much information from it.  However, I've just
> been told that the only message appearing in the Watchguard log is:
>
> Received invalid exchange type. Was expecting Aggressive mode.
>
> I'm using Openswan 2.4.4 which is supposed to support aggressive mode, no?
>
> Thanks in advance for any help offered.
>
> Lenon Kitchens

More information about the Users mailing list