[Openswan Users] Problem with authentication ?

Paul Wouters paul at xelerance.com
Tue Mar 6 15:42:40 EST 2007


On Tue, 6 Mar 2007, Salvatore wrote:

It is the combination. client and server do not agree on the proposal

> Date: Tue, 6 Mar 2007 21:27:19 +0100
> From: Salvatore <sasa at shoponweb.it>
> Cc: users at openswan.org
> To: Paul Wouters <paul at xelerance.com>
> Subject: Re: [Openswan Users] Problem with authentication ?
>
> ..sorry for my insistance but I haven't understood where is the problem in my
> connection, if problem is on vpn client or vpn server ?
> Thanks.
>
> ------
> Salvatore.
>
> ----- Original Message ----- From: "Paul Wouters" <paul at xelerance.com>
> To: "Salvatore" <sasa at shoponweb.it>
> Cc: <users at openswan.org>
> Sent: Monday, March 05, 2007 5:00 AM
> Subject: Re: [Openswan Users] Problem with authentication ?
>
>
> > On Sun, 4 Mar 2007, Salvatore wrote:
> >
> > > Hi, I use kernel 2.6.16.11 (with fedora core 4), openswan 2.4.5 with nat-t
> > > and klips patch, and xl2tp-1.1.06, occasionally with road connection I
> > > have
> > > a problem, in log file:
> >
> > > Mar  4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4:
> > > responding to Main Mode from unknown peer 213.45.xxx.xxxMar  4 21:37:45
> > > fw4
> > > pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4: policy does not allow
> > > OAKLEY_RSA_SIG authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
> > > Mar  4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4:
> > > OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
> > > Mar  4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4:
> > > OAKLEY_DES_CBC is not supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
> > > Mar  4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4: no
> > > acceptable Oakley Transform
> > > Mar  4 21:37:45 fw4 pluto[5818]: "left-road"[4] 213.45.xxx.xxx #4: sending
> > > notification NO_PROPOSAL_CHOSEN to 213.45.xxx.xxx:500
> >
> > > config setup
> >
> > > authby=secret
> >
> > > conn left-road
> > > auto=add
> > > authby=secret
> > > pfs=no
> > > rekey=no
> > > left=81.yyy.yyy.yyy
> > > leftnexthop=81.yyy.yyy.zzz
> > > leftprotoport=17/1701
> > > right=%any
> > > rightprotoport=17/1701
> > > rightsubnet=vhost:%no,%priv
> > > include /etc/ipsec.d/examples/no_oe.conf
> >
> > Looks like the client tried to do RSA (authby=rsasigkey) instead of PSK
> > (authby=secret) and it tried to use single DES which openswan rejected.
> >
> > Paul
> > --
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list