[Openswan Users] Using Openswan 2.4.0 with a Watchguard Firebox II

Jason Green jave27 at gmail.com
Mon Jan 16 17:55:25 CET 2006 

I'm running Openswan U2.4.0/K2.6.12-10-amd64-generic on Ubuntu Breezy and
trying to connect to a Watchguard Firebox II with no success.  I have full
access to the router and can make whatever changes are necessary.  The old
Interoperating wiki for Watchguard seems quite out of date, since many of
the options on the original mailing post are no longer valid.  One caveat...
I'm running this on my Linux box which is behind my Zyxel Firewall.  The
Zywall has an option to forward IPSEC requests for VPNs.  This works fine
using the Watchguard Windows client MUVPN, but I'm trying to avoid running
Windows.


Here's the error lists that I get on my Watchguard System Manager:

From <my remote ip> AG-HDR  ISA_SA ISA_KE ISA_NONCE ISA_ID ISA_VENDORID
Proposal is unacceptable: mess_id=0
Sending NO_PROPOSAL_CHOSEN message
Error processing (sa)
Agresssive Mode processing failed
Header invalid (unable to verify, msg = ISA_SA)

following by "Skipping duplicate packet from <my remote ip>"


And, here is the error I get from running "ipsec auto --up my_connection":
003 "my_connection" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "my_connection" #1: transform (5,2,2,0) ignored.
003 "my_connection" #1: multiple transforms were set in aggressive mode.
Only first one used.
003 "my_connection" #1: transform (5,2,2,0) ignored.
112 "my_connection" #1: STATE_AGGR_I1: initiate
010 "my_connection" #1: STATE_AGGR_I1: retransmission; will wait 20s for
response


Here's my ipsec.conf file:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        uniqueids=yes

# Add connections here
conn my_connection
        type=tunnel
        keyingtries=0
        authby=secret
        left=192.168.1.34                            (that is my IP behind
my firewall)
        leftnexthop=%defaultroute
        leftid=jave27 at gmail.com
        right=<my_server_ip>
        rightsubnet=192.168.0.0/24
        rightid=@gmail.com
        aggrmode=yes
        auto=add
        ike=3des-sha1
        pfs=yes

I've tried all sorts of combinations, adding other options, getting rid of
almost all of them, but nothing seems to work.  Any tips or pointers to the
right direction would be spectacular.  Thanks in advance!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060116/9378f637/attachment.htm

More information about the Users mailing list