[Openswan Users] OpenSwan Configuration for Manual Keys

Brian Candler B.Candler at pobox.com
Sat Apr 15 09:27:52 CEST 2006

On Fri, Apr 14, 2006 at 08:36:45PM -0500, Jay Potter wrote:
> This is a very new release from windows xp professional with service 
> pack 2 installed (marked 2002). (We just got the MSDN subscription from 
> Microsoft and this version was included - we did not have to install 
> service pack 2 seperately)

Have you applied XP IPSEC policy hotfix?

> When we run the MMC it allows us the choice 
> of either 3des or des /  sha1 or md5.

OK. Well "NO_PROPOSAL_CHOSEN" means that none of the combinations of
(encryption alg + authentication alg + Diffie-Hellman group) offered by one
side was acceptable to the other.

> >>"Sample" #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 
> >>supported.  Attribute OAKLEY_GROUP_DESCRIPTION

That sounds like Windows is asking for some other Diffie-Hellman group (e.g.
768 bits or 2048 bits)

> >>"Sample" #1:  OAKLEY_DES_CBC is not supported.  Attribute 

Sounds like Windows is asking for DES. However, if I remember correctly, an
up-to-date Windows will offer four combinations:

so I'd expect Openswan would accept one of those.

If you run

    tcpdump -i eth0 -n -s1500 -v udp port 500

on the Linux side, you will see the proposals in quite graphic detail.   

Also, you may find it useful to turn on Oakley logging at the Windows side.
Google or search microsoft.com for oakley.log

Anyway, almost all the information you need can be found linked from here:
especially the second document about Windows XP/2000.



More information about the Users mailing list