[Openswan Users] Another attempt to get connected to a SonicWALL VPN.

Peter McGill petermcgill at goco.net
Thu Nov 23 09:17:19 EST 2006

> > > - SonicWALL VPN
> > > - ESP 3DES HMAC MD5 (IKE)
> > > - XAUTH authentication is not required.
> > >     esp=3des-md5
> > >     ike=3des-md5
> > > Nov 23 14:09:54 ams pluto[16661]: packet from 66.nnn.nnn.nnn:500:
> > > ignoring informational payload, type NO_PROPOSAL_CHOSEN
> > 
> > This is a configuration error between the two endpoints. You will have to
> > ask more information from the other end. You can try adding "pfs=no".
> Does the ike= entry require a modp suffix perhaps? (ie
> ike=3des-md5-modp1024). If so how would I know which one? I did try the modp1024. 

Your probably on the right track, keep the pfs=no, as Paul suggested, it will still accept pfs
if the other end requests it, but does not require it, so it's the best compatibility mode.
You could also ask the other admin if he's using it or not. Perfect Forward Secrecy is the
full name.
I would also ask the other admin which modp setting he's using, probably called DH
(or Diffie-Hellman) Group 2 (1024) or 5 (1536), there are other groups, but these two are
the most common ones implemented and therefore probably best for vendor interrop.
If he's using Group 1 (768 I think), he'll have to change it, openswan doesn't support it for
the same reason as Single DES, it's week and insecure.
You would specify them as you did above, ike=3des-md5-modp1024, or ...-modp1536.

Peter McGill

More information about the Users mailing list