[Openswan Users] Unknown parameter name "ike"

Andy Gay andy at andynet.net
Wed Apr 25 10:14:48 EDT 2007 

On Wed, 2007-04-25 at 09:57 +0200, steve.morard at epfl.ch wrote:
> Hello !
> 
> I'm trying to connect to a remote gateway, but I get the message:
> 
> NO-PROPOSAL-CHOSEN

> I guess that's because I didn't specify the algorithms in ipsec.conf. 
Maybe. Also could be some mismatch of left/right subnet, PFS etc.. 

> So I tried
> to do that and now my ipsec.conf looks like that
> 
> version 2.0
> 
> 
> config setup
>         nat_traversal=yes
> 
> conn try
>         left=172.18.112.7
> 
>         right=x.x.x.x
>         rightsubnet=172.25.8.8/29
> 
>         pfs=yes
>         auth=esp
>         esp=aes128-md5,aes128-sha1
>         ike=aes128-sha1-modp1024,aes128-md5-modp1024
>         authby=secret
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> Unfortunately when I execute ipsec auto -add try, I get the following error:
that should be '--add', of course.
> 
> ipsec_auto: fatal error in "toFT": (/etc/ipsec.conf, line 26) unknown parameter
> name "ike"
> 
> Do you have any idea why the parameter ike is not recognized?

Check the formatting of your file. For instance, it looks like you have
blank lines within your conn section, that's not permitted, but I would
expect a different error. Make sure there's white space at the start of
each line within the section. You may have some weird nonprinting
characters in the file - run a hexdump or something similar to be sure.

You showed us a conn section called "try", this message is referring to
a conn "toFT". Is line 26 this actual "ike=" entry?

BTW - you probably don't need the 'ike=' parameter, I think 'no proposal
chosen' errors mean the peers can't agree in phase 2, which could be due
to mismatched esp algorithms, left/right subnets, PFS, probably other
stuff I've forgotten. But I could be wrong. If you show us more context
from your logs we may be able to help more, but if you see "ISAKMP SA
established" in your logs, then phase 1 has completed OK and your ike
algorithms are good.

> 
> Thank you
> 
> Best regards
> 
> Steve
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list