[Openswan Users] openswan to Instagate

ACasella antony.casella at sand.com
Fri Jun 1 13:48:44 EDT 2007


Thank you for your response.  Instagate only has a web interface to the
device for administration so there is no other way to get configuration
information other than a gui.  Below id my best attempt to translate
this to text  I have sent logs of openswan in another post:


Name

      Available  Enabled
Network
 Local Host to Remote
Host
                        
Key Management
Automatic (Shared
Secret)
Network Settings
Remote Host IP Address

Key Management Settings
Shared Secret

I also have a button for IKE and IPSEC

For IKE
IKE Settings Key Refresh Hours Minutes  or   KB Strict PFS  Enabled
Aggressive Mode  Enabled

Proposals
High Security 
High Performance 
Custom 
Available
 
                  Active
3DES Enc, MD5 Auth, DH 1
3DES Enc, SHA-1 Auth, DH
1 AES 128-bit Enc, MD5
Auth, DH 1 AES 128-bit
Enc, MD5 Auth, DH 2 AES
128-bit Enc, SHA-1 Auth,
DH 1 AES 128-bit Enc,
SHA-1 Auth, DH 2 AES
192-bit Enc, MD5 Auth,
DH 1 AES 192-bit Enc,
MD5 Auth, DH 2 AES
192-bit Enc, SHA-1 Auth,
DH 1 AES 192-bit Enc,
SHA-1 Auth, DH 2 AES
256-bit Enc, MD5 Auth,
DH 1 AES 256-bit Enc,
MD5 Auth, DH 2 AES
256-bit Enc, SHA-1 Auth,
DH 1 AES 256-bit Enc,
SHA-1 Auth, DH 2 DES
Enc, MD5 Auth, DH 1 DES
Enc, MD5 Auth, DH 2 DES
Enc, SHA-1 Auth, DH 1
DES Enc, SHA-1 Auth, DH
2
                                         





3DES Enc, SHA-1 Auth, DH
                       2
  3DES Enc, MD5 Auth, DH
2                                         
Changes to Proposals will affect other VPNs: host-to-host   


For IPSEC button:

IPSec Settings
Key Refresh
 Hours Minutes  or   KB
PFS Disabled Group 1 Group 2

Proposals Proposal High Security High Performance Custom   

Available
 
                  Active
No Enc, MD5 Auth No Enc,
SHA-1 Auth AES 128-bit
Enc, MD5 Auth AES
128-bit Enc, SHA-1 Auth
AES 192-bit Enc, MD5
Auth AES 192-bit Enc,
SHA-1 Auth AES 256-bit
Enc, MD5 Auth AES
256-bit Enc, SHA-1 Auth
DES Enc, MD5 Auth DES
Enc, SHA-1 Auth
                                         





   3DES Enc, SHA-1 Auth 
           3DES Enc, MD5
Auth                                         
  


I apologize for the messiness of this post.


Antony Casella

On Fri, 2007-06-01 at 09:07 -0400, Andy Gay wrote:
> On Thu, 2007-05-31 at 14:11 -0400, ACasella wrote:
> 
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate **** RECEIVED  FIRST MESSAGE OF MAIN MODE **** 
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate <POLICY: > PAYLOADS: SA,PROP,TRANS,TRANS,TRANS,TRANS,VID,VID,VID,VID,VID,VID,VID
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate ERROR# NO MATCHING ISAKMP PROPOSAL FOR DIALUP CASE
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate SENDING NOTIFY MSG:
> > 2007 May 31 13:49:17 instagate NO_PROPOSAL_CHOSEN
> 
> I've not seen or used one of these appliances, so this is just a guess.
> But I wonder if by "dialup case" it means what everyone else calls
> "roadwarrior". In other words, it can't identify the peer so it's trying
> to find a roadwarrior config to use, but you don't have one configured.
> 
> If that's the case, then probably your config has a mismatch in the peer
> identities and/or IP addresses. Can you show us any details of the
> Instagate configuration? You may want to try removing the left/rightid
> settings in your ipsec.conf.
> 
> Can you also please post the Openswan logs.
> 
> 
> > The instagate has limited choices for various IKE, DH and SPF.
> > 
> > The defaults are:  3DES enc,SHA-1 auth,DH2 
> > and 		:  3DES enc, MD5 auth, DH2
> > Strict PFS is disabled.
> > Key refresh is 24 hours
> > And key management is preshared key.
> > 
> > My conf is
> > 
> > conn host-to-host
> >     type=tunnel
> >     authby=secret
> >     left=207.61.yyy.yyy
> >     leftid=@yyyy
> >     leftnexthop=%defaultroute
> >     right=72.55.xxx.xxx
> >     rightid=@xxxx
> >     rightnexthop=%defaultroute
> >     esp=3des-md5-96,3des-sha1
> >     keyexchange=    ike
> >     pfs=            no
> >     auto=add
> > 
> > What conf settings am I getting wrong in this set up?
> 
> > 
> > Thank you
> > 
> > Antony Casella
> > 
> > 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > 
> 



More information about the Users mailing list