[Openswan Users] BM 3.8 proposals

Tobias Hadem th at lt-ec.de
Fri Oct 20 10:47:23 EDT 2006 

Hello List,

i try to make a connection between a Openswan U2.2.0/K2.6.8-3-386 (native) and 
a Novell Bordermanager 3.8.

The IKE.LOG (which is nearly the same as the auth.log on linux) shows the 
following:

10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  HASH Algorithm 
mismatch  mine : SHA  his : MD5   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000004
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  HASH Algorithm 
mismatch  mine : SHA  his : MD5   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000004
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  DH Group mismatch   
mine : 2     his :  unsupported DH Group 5     dst : 194.213.50.98  src : 
195.39.44.34  cookies[mine :his]  C086F55898B016BA : EF3606AB00000010
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  DH Group mismatch   
mine : 1     his :  unsupported DH Group 5     dst : 194.213.50.98  src : 
195.39.44.34  cookies[mine :his]  C086F55898B016BA : EF3606AB00000010
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  Encryption Algorithm 
mismatch   mine : DES  his : 3DES   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000002
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  Encryption Algorithm 
mismatch   mine : DES  his : 3DES   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000002
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  Encryption Algorithm 
mismatch   mine : DES  his : 3DES   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000002
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  Encryption Algorithm 
mismatch   mine : DES  his : 3DES   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000002
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  HASH Algorithm 
mismatch  mine : SHA  his : MD5   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000004
10-20-2006 1:57:11 pm IKE SA NEGOTIATION: Peer lifetime = 14400 My 
lifetime=14400
10-20-2006 1:57:11 pm Warn :Proposal mismatch  PHASE 1  HASH Algorithm 
mismatch  mine : SHA  his : MD5   dst : 194.213.50.98  src : 195.39.44.34  
cookies[mine :his]  C086F55898B016BA : EF3606AB00000004




It looks like they have different thoughts of their proposals. My ipsec.conf:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        #klipsdebug=all
        #plutodebug=all
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,
%v4:!10.0.0.0/255.255.0.0,%v4:!172.16.0.0/255.255.0.0,
%v4:!192.168.1.0/255.255.255.0,%v4:!192.168.100.0/24
# Add connections here

conn as
        keyingtries=1
        disablearrivalcheck=no
        auto=start
        authby=secret
        keyexchange=ike
        ikelifetime=240m
        type=tunnel
        auth=esp
        pfs=yes
        compress=no
        keylife=60m
        left=192.168.1.20
        leftnexthop=%defaultroute
        leftsubnet=172.50.0.0/16
        right=x.x.x.x
        rightsubnet=192.168.100.0/24


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


The connection is not being set up as you might think ;-)

I didn't use any esp= or ike= directives. But i think there is the problem.
Can anybody give me a hint, what to insert in esp= and ike= while the logs 
says things like "mismatch  mine : SHA  his : MD5  "?


I can supply extended logfiles from both sides if needed.

Thanks in advance.

Regards,

Tobi

-- 
--------------------------------------------------------- 
Tobias Hadem                            th at lt-ec.de
LT-ec service & solutions               http://www.lt-ec.de
fon +49 (0)911 97791355                 fax +49 (0)911 97791358
Benno-Strauss-Strasse 5                 D-90763 Fürth/Bay.

new thinking for a new era in Fürth - Berlin - Seattle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061020/02739ca6/attachment-0001.bin

More information about the Users mailing list