[Openswan Users] openswan to Instagate
ACasella
antony.casella at sand.com
Fri Jun 1 13:48:44 EDT 2007
Thank you for your response. Instagate only has a web interface to the
device for administration so there is no other way to get configuration
information other than a gui. Below id my best attempt to translate
this to text I have sent logs of openswan in another post:
Name
Available Enabled
Network
Local Host to Remote
Host
Key Management
Automatic (Shared
Secret)
Network Settings
Remote Host IP Address
Key Management Settings
Shared Secret
I also have a button for IKE and IPSEC
For IKE
IKE Settings Key Refresh Hours Minutes or KB Strict PFS Enabled
Aggressive Mode Enabled
Proposals
High Security
High Performance
Custom
Available
Active
3DES Enc, MD5 Auth, DH 1
3DES Enc, SHA-1 Auth, DH
1 AES 128-bit Enc, MD5
Auth, DH 1 AES 128-bit
Enc, MD5 Auth, DH 2 AES
128-bit Enc, SHA-1 Auth,
DH 1 AES 128-bit Enc,
SHA-1 Auth, DH 2 AES
192-bit Enc, MD5 Auth,
DH 1 AES 192-bit Enc,
MD5 Auth, DH 2 AES
192-bit Enc, SHA-1 Auth,
DH 1 AES 192-bit Enc,
SHA-1 Auth, DH 2 AES
256-bit Enc, MD5 Auth,
DH 1 AES 256-bit Enc,
MD5 Auth, DH 2 AES
256-bit Enc, SHA-1 Auth,
DH 1 AES 256-bit Enc,
SHA-1 Auth, DH 2 DES
Enc, MD5 Auth, DH 1 DES
Enc, MD5 Auth, DH 2 DES
Enc, SHA-1 Auth, DH 1
DES Enc, SHA-1 Auth, DH
2
3DES Enc, SHA-1 Auth, DH
2
3DES Enc, MD5 Auth, DH
2
Changes to Proposals will affect other VPNs: host-to-host
For IPSEC button:
IPSec Settings
Key Refresh
Hours Minutes or KB
PFS Disabled Group 1 Group 2
Proposals Proposal High Security High Performance Custom
Available
Active
No Enc, MD5 Auth No Enc,
SHA-1 Auth AES 128-bit
Enc, MD5 Auth AES
128-bit Enc, SHA-1 Auth
AES 192-bit Enc, MD5
Auth AES 192-bit Enc,
SHA-1 Auth AES 256-bit
Enc, MD5 Auth AES
256-bit Enc, SHA-1 Auth
DES Enc, MD5 Auth DES
Enc, SHA-1 Auth
3DES Enc, SHA-1 Auth
3DES Enc, MD5
Auth
I apologize for the messiness of this post.
Antony Casella
On Fri, 2007-06-01 at 09:07 -0400, Andy Gay wrote:
> On Thu, 2007-05-31 at 14:11 -0400, ACasella wrote:
>
> > 2007 May 31 13:49:17 instagate
> > 2007 May 31 13:49:17 instagate **** RECEIVED FIRST MESSAGE OF MAIN MODE ****
> > 2007 May 31 13:49:17 instagate
> > 2007 May 31 13:49:17 instagate <POLICY: > PAYLOADS: SA,PROP,TRANS,TRANS,TRANS,TRANS,VID,VID,VID,VID,VID,VID,VID
> > 2007 May 31 13:49:17 instagate
> > 2007 May 31 13:49:17 instagate ERROR# NO MATCHING ISAKMP PROPOSAL FOR DIALUP CASE
> > 2007 May 31 13:49:17 instagate
> > 2007 May 31 13:49:17 instagate SENDING NOTIFY MSG:
> > 2007 May 31 13:49:17 instagate NO_PROPOSAL_CHOSEN
>
> I've not seen or used one of these appliances, so this is just a guess.
> But I wonder if by "dialup case" it means what everyone else calls
> "roadwarrior". In other words, it can't identify the peer so it's trying
> to find a roadwarrior config to use, but you don't have one configured.
>
> If that's the case, then probably your config has a mismatch in the peer
> identities and/or IP addresses. Can you show us any details of the
> Instagate configuration? You may want to try removing the left/rightid
> settings in your ipsec.conf.
>
> Can you also please post the Openswan logs.
>
>
> > The instagate has limited choices for various IKE, DH and SPF.
> >
> > The defaults are: 3DES enc,SHA-1 auth,DH2
> > and : 3DES enc, MD5 auth, DH2
> > Strict PFS is disabled.
> > Key refresh is 24 hours
> > And key management is preshared key.
> >
> > My conf is
> >
> > conn host-to-host
> > type=tunnel
> > authby=secret
> > left=207.61.yyy.yyy
> > leftid=@yyyy
> > leftnexthop=%defaultroute
> > right=72.55.xxx.xxx
> > rightid=@xxxx
> > rightnexthop=%defaultroute
> > esp=3des-md5-96,3des-sha1
> > keyexchange= ike
> > pfs= no
> > auto=add
> >
> > What conf settings am I getting wrong in this set up?
>
> >
> > Thank you
> >
> > Antony Casella
> >
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
More information about the Users
mailing list