[Openswan Users] openswan ipsec fos_start

Andy Gay andy at andynet.net
Fri May 18 11:31:36 EDT 2007 

On Fri, 2007-05-18 at 02:49 -0700, Vieri wrote:
> Hi,
> 
> I established an IPsec tunnel between openswan and a
> remote Cisco device.
> 
> As you can see from the links I'm posting below, the
> negotiation reaches STATE_MAIN_I4 (ISAKMP SA
> established).

That's just phase 1 - IKE. As you got that far, you know that the PSK
and the peer identities are good, but that's all. You don't have a
tunnel up until you see "IPsec SA established".

> 
> However, even after the tunnel is up, I can see
> messages of type NO_PROPOSAL_CHOSEN and if I try to
> ping a remote host at 150.2.101.89 from openswan's
> local IP 10.215.144.92 I get a fos_start.
> According to
> http://archives.free.net.ph/message/20070221.014329.1fb781ba.en.html
> there are
> known issues regarding "recent" 2.6 kernels with
> netkey but I'm using 2.6.16. Also, I've established
> other IPsec tunnels between the same openswan server
> and other openswan peers and pings go through
> normally.
> 
> So it's probably because of the NO_PROPOSAL_CHOSEN but
> I don't know what it refers to.

The peer's phase 2 parameters don't match yours. Usually that's either
because the PFS setting is different (try changing to pfs=yes), or your
left and right subnets don't *exactly* match the ones configured on the
peer.

It's also possible that the peer is configured to use some strange
encryption. You don't have an esp= setting, so (IIRC) that means you
will propose 4 transforms, I think they're AES128/SHA1, AES128/MD5,
3DES/SHA1, 3DES/MD5. Make sure the peer is willing to accept at least
one of those. Or use an explicit esp= setting to select exactly what the
peer wants.

Try to get us a copy of the peer's config if you need more help.


> 
> May 18 10:02:11 gw1 pluto[2608]: "ge-fhm" #1: ignoring
> informational payload, type NO_PROPOSAL_CHOSEN
> May 18 10:02:11 gw1 pluto[2608]: "ge-fhm" #1: received
> and ignored informational message
> May 18 10:02:20 gw1 pluto[2608]: initiate on demand
> from 10.215.144.92:0 to 150.2.101.89:0 proto=0 state:
> fos_start because: acquire
> May 18 10:02:20 gw1 pluto[2608]: "ge-fhm" #4:
> initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
> isakmp#1}
> May 18 10:02:20 gw1 pluto[2608]: "ge-fhm" #1: ignoring
> informational payload, type NO_PROPOSAL_CHOSEN
> May 18 10:02:20 gw1 pluto[2608]: "ge-fhm" #1: received
> and ignored informational message
> 
> ipsec auto --status:
> https://fhm.zapto.org/GEVPN/status_ge.txt
> 
> ipsec barf:
> https://fhm.zapto.org/GEVPN/barf_ge.txt
> 
> I'd appreciate suggestions.
> 
> Vieri
> 
> 
> 
>        
> ____________________________________________________________________________________Need a vacation? Get great deals
> to amazing places on Yahoo! Travel.
> http://travel.yahoo.com/
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list