[Openswan Users] openswan to Instagate

Peter McGill petermcgill at goco.net
Thu May 31 14:39:55 EDT 2007 

> Date: Thu, 31 May 2007 14:11:46 -0400
> From: ACasella <antony.casella at sand.com>
> Subject: [Openswan Users] openswan to Instagate
> To: users at openswan.org
> 
> I'm trying to interconnect a host-to-host connection to an instagate
> firewall appliance (basically it looks like it runs either free or
> openswan on redhat).
> 
> I think I am falling short on the IKE/ESP settings on the 
> openswan side
> in my configuration as I cannot initiate the connection.  
> 
> When I initiate an ipsec auto --up host-to-host from my 
> openswan server,
> The instagate appliance responds with NO_PROPOSAL_CHOSEN:
> 
> 2007 May 31 13:49:17 instagate
> ****************************************************
> 2007 May 31 13:49:17 instagate 
> 2007 May 31 13:49:17 instagate **** RECEIVED  FIRST MESSAGE 
> OF MAIN MODE **** 
> 2007 May 31 13:49:17 instagate 
> 2007 May 31 13:49:17 instagate <POLICY: > PAYLOADS: 
> SA,PROP,TRANS,TRANS,TRANS,TRANS,VID,VID,VID,VID,VID,VID,VID
> 2007 May 31 13:49:17 instagate 
> 2007 May 31 13:49:17 instagate ERROR# NO MATCHING ISAKMP 
> PROPOSAL FOR DIALUP CASE
> 2007 May 31 13:49:17 instagate 
> 2007 May 31 13:49:17 instagate SENDING NOTIFY MSG:
> 2007 May 31 13:49:17 instagate NO_PROPOSAL_CHOSEN
> 2007 May 31 13:49:17 instagate 
> 2007 May 31 13:49:17 instagate <POLICY: > PAYLOADS: NOTIFY
> 2007 May 31 13:49:17 instagate 
> 2007 May 31 13:49:17 instagate **** SENT OUT INFORMATIONAL 
> EXCHANGE MESSAGE **** 
> 2007 May 31 13:49:17 instagate 
> 
> The instagate has limited choices for various IKE, DH and SPF.
> 
> The defaults are:  3DES enc,SHA-1 auth,DH2 
> and 		:  3DES enc, MD5 auth, DH2
> Strict PFS is disabled.
> Key refresh is 24 hours
> And key management is preshared key.
> 
> My conf is
> 
> conn host-to-host
>     type=tunnel
>     authby=secret
>     left=207.61.yyy.yyy
>     leftid=@yyyy
>     leftnexthop=%defaultroute
>     right=72.55.xxx.xxx
>     rightid=@xxxx
>     rightnexthop=%defaultroute
>     esp=3des-md5-96,3des-sha1
>     keyexchange=    ike
>     pfs=            no
>     auto=add

	ike=3des-sha1-modp1024,3des-md5-modp1024
	esp=3des-sha1,3des-md5
	keyexchange=ike
	pfs=no

Specify the above ike and esp lines, also I'm not sure if
the whitespace after the = on the keyexchange and pfs
lines matters or not so I took it out.

Peter

More information about the Users mailing list