[Openswan Users] Re: Openswan <-> Watchguard Firebox

Lenon Kitchens A lenon at sanctuary.org
Sat Nov 19 23:46:11 CET 2005 

After making some changes to the Watchguard box, I'm now getting past the 
NO_PROPOSAL_CHOSEN error.  However, now I am really and truly stuck.

This is the output of my syslog:

Nov 19 22:01:39 malachai pluto[4429]: "MyCompany" #1: initiating Aggressive 
Mode #1, connection "MyCompany"
Nov 19 22:01:39 malachai pluto[4429]: "MyCompany" #1: Aggressive mode peer ID 
is ID_IPV4_ADDR: '<Watchguard IP>'
Nov 19 22:01:39 malachai pluto[4429]: "MyCompany" #1: Aggressive mode peer ID 
is ID_IPV4_ADDR: '<Watchguard IP>'
Nov 19 22:01:39 malachai pluto[4429]: "MyCompany" #1: transition from state 
STATE_AGGR_I1 to state STATE_AGGR_I2
Nov 19 22:01:39 malachai pluto[4429]: "MyCompany" #1: STATE_AGGR_I2: sent AI2, 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Nov 19 22:01:39 malachai pluto[4429]: "MyCompany" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Nov 19 22:01:42 malachai pluto[4429]: "MyCompany" #1: retransmitting in 
response to duplicate packet; already STATE_AGGR_I2
Nov 19 22:01:45 malachai pluto[4429]: "MyCompany" #1: retransmitting in 
response to duplicate packet; already STATE_AGGR_I2
Nov 19 22:01:48 malachai pluto[4429]: "MyCompany" #1: discarding duplicate 
packet -- exhausted retransmission; already STATE_AGGR_I2
Nov 19 22:02:09 malachai pluto[4429]: packet from <Watchguard IP>:500: 
Informational Exchange is for an unknown (expired?) SA

Also, we kept seeing the following in the watchguard log:
2005-11-19 21:20:48 0 <My Public IP>:500  Received unknown phase one SA. Start 
IKE negotiation to delete it.  //        
2005-11-19 21:20:45 0 <My Public IP>:500  Received unknown phase one SA. Start 
IKE negotiation to delete it.  //        
2005-11-19 21:20:26 0 <My Public IP>:500  IKE Phase one retry timeout, Drop 
Negotiation //        
2005-11-19 21:20:25 0 <My Public IP>:500  Quick Mode: received QM message 
before phase one is completed. //        
2005-11-19 21:20:20 0 <My Public IP>:500  Aggressive mode: failed in 
processing HASH payload. //        
2005-11-19 21:20:20 0 <My Public IP>:500  Aggressive mode: received 3rd 
message. //        
2005-11-19 21:20:17 0 <My Public IP>:500  Aggressive mode: failed in 
processing HASH payload. //

My config hasn't changed from what I posted below.  I'm at the end of my rope 
with this one.  Any help would be greatly appreciated.

Thanks,
  Lenon Kitchens

On Saturday 19 November 2005 7:55 pm, you wrote:
> Ok, immediately after sending this message I got farther.  Now I'm getting
> a NO_PROPOSAL_CHOSEN error in my syslog.
>
> Any ideas?
>
> Lenon
>
> On Saturday 19 November 2005 7:34 pm, you wrote:
> > Hi folks, I'm having some problems with Openswan and I was hoping someone
> > here could help.
> >
> > First of all, I'm not a linux newbie by any means, and I have fairly
> > complete knowledge of networking in general.  However, I know very little
> > about the internals of VPN.
> >
> > My company has a Watchguard machine set up at a colo site.  The windows
> > users seem to be able to communicate with it fine via WUVPN.
> >
> > I have a home network behind a Linksys Firewall/Router.  The machine that
> > I'm trying to get connected is set up as a DMZ host.  I really don't know
> > how this should work at all, and so far I've just been guessing, so I'll
> > start with posting my conf and error messages.
> >
> > /etc/ipsec.conf:
> >
> > version 2.0 # conforms to second version of ipsec.conf specification
> >
> > # basic configuration
> > config setup
> >     #interfaces="%defaultroute"
> >     interfaces="ipsec0=ath0"
> >     nat_traversal=yes
> >
> > # Add connections here
> >
> > conn MyCompany
> >     keyingtries=0
> >     authby=secret
> >     left=<Watchguard public IP protected>
> >     leftnexthop=<Watchguard gateway protected>
> >     leftsubnet=10.0.2.0/24
> > 	# I've also tried my router's public IP and Gateway for the next two
> >     right=192.168.1.103
> >     rightnexthop=192.168.1.1
> >     rightsubnet=192.168.1.0/24
> >     auto=add
> >
> > #Disable Opportunistic Encryption
> > include /etc/ipsec/ipsec.d/examples/no_oe.conf
> >
> > ipsec.secrets
> > 192.168.1.103 <Watchguard IP> : PSK "<PSK protected>"
> > <Router's Public IP> <Watchguard IP> : PSK "<PSK protected>"
> >
> > syslog output:
> > Nov 19 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500:
> > ignoring informational payload, type INVALID_EXCHANGE_TYPE Nov 19
> > 19:25:27 malachai pluto[17596]: packet from <Watchguard IP>:500: received
> > and ignored informational message
> >
> > The above message repeats...
> >
> > ipsec auto --up MyCompany:
> > 104 "MyCompany" #1: STATE_MAIN_I1: initiate
> > 010 "MyCompany" STATE_MAIN_I1: retransmission; will wait 20s for response
> > 010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s for
> > response 010 "MyCompany" #1: STATE_MAIN_I1: retransmission; will wait 40s
> > for response ...repeats infinitely...
> >
> > I don't have admin access (or any access for that matter) to the
> > Watchguard, so I can't give much information from it.  However, I've just
> > been told that the only message appearing in the Watchguard log is:
> >
> > Received invalid exchange type. Was expecting Aggressive mode.
> >
> > I'm using Openswan 2.4.4 which is supposed to support aggressive mode,
> > no?
> >
> > Thanks in advance for any help offered.
> >
> > Lenon Kitchens

More information about the Users mailing list