[Openswan Users] openswan to Instagate

Peter McGill petermcgill at goco.net
Fri Jun 1 09:27:08 EDT 2007 

> Date: Thu, 31 May 2007 15:02:59 -0400
> From: ACasella <antony.casella at sand.com>
> Subject: Re: [Openswan Users] openswan to Instagate
> To: users <users at openswan.org>
> 
> Thank you for your reply.  I've tried the suggested configuration and
> I'm not getting anything different back from the instagate appliance.
> I've turned on "debug" mode on the instagate and this is the output:
> 
> Is there any other debugging information that I can provide from the
> openswan side that might be of help?

On the openswan machine, execute the following and copy the results into
The message body.
ipsec --version
And
ipsec verify

Also, make sure that plutodebug and klipsdebug are both set to none in conf.
(Normally there is enouph info in the normal logs, debug options just make
Longer and harder to read, so leave them off unless asked to set them.)
Then, restart openswan and attempt to connect again.
Use the following to find the logs:
egrep -e 'pluto' /var/log/*
Send us the full pluto logs for your last restart and connection attempt
that you just did, in the message body too.

Peter

> On Thu, 2007-05-31 at 14:39 -0400, Peter McGill wrote:
> > > Date: Thu, 31 May 2007 14:11:46 -0400
> > > From: ACasella <antony.casella at sand.com>
> > > Subject: [Openswan Users] openswan to Instagate
> > > To: users at openswan.org
> > > 
> > > I'm trying to interconnect a host-to-host connection to 
> an instagate
> > > firewall appliance (basically it looks like it runs either free or
> > > openswan on redhat).
> > > 
> > > I think I am falling short on the IKE/ESP settings on the 
> > > openswan side
> > > in my configuration as I cannot initiate the connection.  
> > > 
> > > When I initiate an ipsec auto --up host-to-host from my 
> > > openswan server,
> > > The instagate appliance responds with NO_PROPOSAL_CHOSEN:
> > > 
> > > The instagate has limited choices for various IKE, DH and SPF.
> > > 
> > > The defaults are:  3DES enc,SHA-1 auth,DH2 
> > > and 		:  3DES enc, MD5 auth, DH2
> > > Strict PFS is disabled.
> > > Key refresh is 24 hours
> > > And key management is preshared key.
> > > 
> > > My conf is
> > > 
> > > conn host-to-host
> > >     type=tunnel
> > >     authby=secret
> > >     left=207.61.yyy.yyy
> > >     leftid=@yyyy
> > >     leftnexthop=%defaultroute
> > >     right=72.55.xxx.xxx
> > >     rightid=@xxxx
> > >     rightnexthop=%defaultroute
> > >     esp=3des-md5-96,3des-sha1
> > >     keyexchange=    ike
> > >     pfs=            no
> > >     auto=add
> > 
> > 	ike=3des-sha1-modp1024,3des-md5-modp1024
> > 	esp=3des-sha1,3des-md5
> > 	keyexchange=ike
> > 	pfs=no
> > 
> > Specify the above ike and esp lines, also I'm not sure if
> > the whitespace after the = on the keyexchange and pfs
> > lines matters or not so I took it out.

More information about the Users mailing list