[Openswan Users] Problem with authentication ?
Paul Wouters
paul at xelerance.com
Sun Mar 4 23:00:05 EST 2007
On Sun, 4 Mar 2007, Salvatore wrote:
> Hi, I use kernel 2.6.16.11 (with fedora core 4), openswan 2.4.5 with nat-t
> and klips patch, and xl2tp-1.1.06, occasionally with road connection I have
> a problem, in log file:
> Mar 4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4:
> responding to Main Mode from unknown peer 213.45.xxx.xxxMar 4 21:37:45 fw4
> pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4: policy does not allow
> OAKLEY_RSA_SIG authentication. Attribute OAKLEY_AUTHENTICATION_METHOD
> Mar 4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4:
> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
> Mar 4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4:
> OAKLEY_DES_CBC is not supported. Attribute OAKLEY_ENCRYPTION_ALGORITHM
> Mar 4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4: no
> acceptable Oakley Transform
> Mar 4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4: sending
> notification NO_PROPOSAL_CHOSEN to 213.45.xxx.xxx:500
> config setup
> authby=secret
> conn left-road
> auto=add
> authby=secret
> pfs=no
> rekey=no
> left=81.yyy.yyy.yyy
> leftnexthop=81.yyy.yyy.zzz
> leftprotoport=17/1701
> right=%any
> rightprotoport=17/1701
> rightsubnet=vhost:%no,%priv
> include /etc/ipsec.d/examples/no_oe.conf
Looks like the client tried to do RSA (authby=rsasigkey) instead of PSK
(authby=secret) and it tried to use single DES which openswan rejected.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list