[Openswan Users] Openswan issues

Peter McGill petermcgill at goco.net
Thu Apr 19 09:14:23 EDT 2007 

> -----Original Message-----
> From: Kenneth Bergholm [mailto:kenneth.bergholm at tidax.se] 
> Sent: April 19, 2007 2:12 AM
> To: petermcgill at goco.net
> Subject: SV: [Openswan Users] Openswan issues
> 
> Here is the configuration on strongswan FW
> 
> conn fw-fw3
> 	# Left security gateway, subnet behind it, next hop 
> toward right.
> 	leftcert="/etc/ipsec.d/fw1.x.pem"
> 	
> leftid="/C=SE/ST=Uppland/O=xxxxx/CN=minus.xxxxx.se/Email=root@
> minus.x.se"
> 	leftrsasigkey=%cert
> 	# RSA 2048 bits   fw   Mon Feb 11 03:57:24 2002
> 	left=x.x.70.130
> 	leftsubnet=x.x.100.0/24
> 	leftnexthop=x.x.70.129
> 	leftupdown=
> 	# Right security gateway, subnet behind it, next hop 
> toward left.
> 	
> rightid="/C=SE/ST=Uppland/O=xxxxx/CN=fw3.x.se/Email=root at minus.x.se"
> 	rightcert="/etc/ipsec.d/fw3.x.pem"
> 	rightrsasigkey=%cert
> 	# RSA 2048 bits   fw2   Tue Feb 19 16:26:23 2002
> 	right=x.x.70.211
> 	rightsubnet=x.x.3.0/24
> 	rightnexthop=x.x.70.209
> 	pfs=yes
> 	# To authorize this connection, but not actually start it, at
> startup,
> 	# uncomment this.
> 	auto=start
> 
> Here is the conf for openswan Fw
> 
> conn fw-fw3
> 	# Left security gateway, subnet behind it, next hop 
> toward right.
> 	leftcert="/etc/ipsec.d/fw1.x.pem"
> 	
> leftid="/C=SE/ST=Uppland/O=xxxxx/CN=xxxxx.tidax.se/Email=root@
> minus.x.se"
> 	leftrsasigkey=%cert
> 	# RSA 2048 bits   fw   Mon Feb 11 03:57:24 2002
> 	left=x.x.70.130
> 	#leftsubnet=192.168.0.0/24
> 	leftsubnet=x.x.100.0/24
> 	leftnexthop=x.x.70.129
> 	leftupdown=
> 	# Right security gateway, subnet behind it, next hop 
> toward left.
> 	
> rightid="/C=SE/ST=Uppland/O=xxxx/CN=fw3.x.se/Email=root at minus.x.se"
> 	rightcert="/etc/ipsec.d/fw3.x.pem"
> 	rightrsasigkey=%cert
> 	# RSA 2048 bits   fw2   Tue Feb 19 16:26:23 2002
> 	right=x.x.70.211
> 	rightsubnet=x.x.3.0/24
> 	rightnexthop=x.x.70.209
> 	pfs=yes
> 	# To authorize this connection, but not actually start it, at
> startup,
> 	# uncomment this.
> 	auto=start

Offhand I don't see anything wrong here.
I'd try Paul's suggestions, especially upgrading if you can.

You could also try setting ike=3des-md5-1024 and esp=3des-md5 in both confs,
This should force them to use stronger encryption, incase one or the other
Is trying to use older crypto. They should both support 3des, md5, group 2(1024).

As far as I know you can still use left or right for whichever side of the
Connection you want, but it is traditional to use left for the local side,
And right for the remote side, so you could try switching left and right for
The conf on fc3, but it may not change anything.

Peter

> 
> -----Ursprungligt meddelande-----
> Från: Peter McGill [mailto:petermcgill at goco.net] 
> Skickat: den 18 april 2007 17:04
> Till: kenneth.bergholm at tidax.se
> Kopia: users at openswan.org
> Ämne: RE: [Openswan Users] Openswan issues
> 
> > -----Original Message-----
> > Date: Wed, 18 Apr 2007 08:15:03 +0200
> > From: "Kenneth Bergholm" <kenneth.bergholm at tidax.se>
> > Subject: [Openswan Users] Openswan issues
> > To: <users at openswan.org>
> > 
> > I'm having big problems with Openswan and vpn access against 
> > two different
> > offices.
> > 
> > The Vpn tunnel. The other office has a Linux firewall with 
> > Stronswan Ipsec
> > (using certificates).
> > 
> > Our current firewall at our office are running Freeswan 1.99 
> > and works fine
> > against the Strongswan ipsec firewall.
> > 
> > The thing is that I wan't to change firewall to the new one 
> > with Openswan
> > 
> > When I got the watchguard tunnel to work, I added the 
> > configuration from the
> > old firewall (1.99) to new Openswans firewalls ipsec.conf.
> > 
> > I also copied the certificates and edited the ipsec.secrets 
> > to be correct...
> > But I don't get it to work!!!
> > 
> > Apr 18 07:28:02 tidaxIpcop pluto[3223]: "fw-fw3" #8: sending 
> > notification
> > NO_PROPOSAL_CHOSEN to 212.181.91.211:500
> 
> This is your error NO_PROPOSAL_CHOSEN, it refers to a configuration
> Problem, the two sides do not match somewhere, could we see your
> Strongswan and openswan conf files? You may fake/replace your public
> ips, And keys for security, but we need to see your other settings.
> 	leftsubnet=
> 	rightsubnet=
> 	ike=
> 	esp=
> 	pfs=
> 	aggrmode=
> 	and your key's/certs all must match.
> These are the most common settings to cause this error but there may
> Be others, please send us your confs for review, if you cannot find
> The discrepancy.

More information about the Users mailing list