[Openswan Users] openswan to Instagate

ACasella antony.casella at sand.com
Thu May 31 15:02:59 EDT 2007 

Peter,
Thank you for your reply.  I've tried the suggested configuration and
I'm not getting anything different back from the instagate appliance.
I've turned on "debug" mode on the instagate and this is the output:

2007 May 31 15:10:57 instagate 
2007 May 31 15:10:57 instagate IkeShowSA : sa lifetime :86400
2007 May 31 15:10:57 instagate 
2007 May 31 15:10:57 instagate IkeShowSA : sa lifetime :0
2007 May 31 15:10:57 instagate 
2007 May 31 15:10:57 instagate IkeShowSA : sa lifetime :25200
2007 May 31 15:10:57 instagate 
2007 May 31 15:10:57 instagate IkeShowSA : sa lifetime :0
2007 May 31 15:10:57 instagate 
2007 May 31 15:11:03 instagate Returned due to  Ike Server
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate IkeProcessData: IkeFindIsakmpPolicy returned NULL 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate ****************************************************
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate ********** TEST CASE NUMBER : 5565  *****************
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate ****************************************************
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate **** RECEIVED  FIRST MESSAGE OF MAIN MODE **** 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate <POLICY: > PAYLOADS: SA,PROP,TRANS,TRANS,VID,VID,VID,VID,VID,VID,VID
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate ERROR# NO MATCHING ISAKMP PROPOSAL FOR DIALUP CASE
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate IkeIdleProcess: IkeFindSupportingXform failed 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate IkeProcessData: IkeIdleProcess failed 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate SENDING NOTIFY MSG:
2007 May 31 15:11:03 instagate NO_PROPOSAL_CHOSEN
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate <POLICY: > PAYLOADS: NOTIFY
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate **** SENT OUT INFORMATIONAL EXCHANGE MESSAGE **** 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate ipsecdrv_ioctl : Unknown message type
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:03 instagate IkeInitSockets: IkeProcessData failed 
2007 May 31 15:11:03 instagate 
2007 May 31 15:11:13 instagate Returned due to  Ike Server
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate IkeProcessData: IkeFindIsakmpPolicy returned NULL 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate ****************************************************
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate ********** TEST CASE NUMBER : 5566  *****************
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate ****************************************************
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate **** RECEIVED  FIRST MESSAGE OF MAIN MODE **** 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate <POLICY: > PAYLOADS: SA,PROP,TRANS,TRANS,VID,VID,VID,VID,VID,VID,VID
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate ERROR# NO MATCHING ISAKMP PROPOSAL FOR DIALUP CASE
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate IkeIdleProcess: IkeFindSupportingXform failed 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate IkeProcessData: IkeIdleProcess failed 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate SENDING NOTIFY MSG:
2007 May 31 15:11:13 instagate NO_PROPOSAL_CHOSEN
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate <POLICY: > PAYLOADS: NOTIFY
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate **** SENT OUT INFORMATIONAL EXCHANGE MESSAGE **** 
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate ipsecdrv_ioctl : Unknown message type
2007 May 31 15:11:13 instagate 
2007 May 31 15:11:13 instagate IkeInitSockets: IkeProcessData failed 
2007 May 31 15:11:13 instagate 


Is there any other debugging information that I can provide from the
openswan side that might be of help?

Thank you

Antony Casella




On Thu, 2007-05-31 at 14:39 -0400, Peter McGill wrote:
> > Date: Thu, 31 May 2007 14:11:46 -0400
> > From: ACasella <antony.casella at sand.com>
> > Subject: [Openswan Users] openswan to Instagate
> > To: users at openswan.org
> > 
> > I'm trying to interconnect a host-to-host connection to an instagate
> > firewall appliance (basically it looks like it runs either free or
> > openswan on redhat).
> > 
> > I think I am falling short on the IKE/ESP settings on the 
> > openswan side
> > in my configuration as I cannot initiate the connection.  
> > 
> > When I initiate an ipsec auto --up host-to-host from my 
> > openswan server,
> > The instagate appliance responds with NO_PROPOSAL_CHOSEN:
> > 
> > 2007 May 31 13:49:17 instagate
> > ****************************************************
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate **** RECEIVED  FIRST MESSAGE 
> > OF MAIN MODE **** 
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate <POLICY: > PAYLOADS: 
> > SA,PROP,TRANS,TRANS,TRANS,TRANS,VID,VID,VID,VID,VID,VID,VID
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate ERROR# NO MATCHING ISAKMP 
> > PROPOSAL FOR DIALUP CASE
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate SENDING NOTIFY MSG:
> > 2007 May 31 13:49:17 instagate NO_PROPOSAL_CHOSEN
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate <POLICY: > PAYLOADS: NOTIFY
> > 2007 May 31 13:49:17 instagate 
> > 2007 May 31 13:49:17 instagate **** SENT OUT INFORMATIONAL 
> > EXCHANGE MESSAGE **** 
> > 2007 May 31 13:49:17 instagate 
> > 
> > The instagate has limited choices for various IKE, DH and SPF.
> > 
> > The defaults are:  3DES enc,SHA-1 auth,DH2 
> > and 		:  3DES enc, MD5 auth, DH2
> > Strict PFS is disabled.
> > Key refresh is 24 hours
> > And key management is preshared key.
> > 
> > My conf is
> > 
> > conn host-to-host
> >     type=tunnel
> >     authby=secret
> >     left=207.61.yyy.yyy
> >     leftid=@yyyy
> >     leftnexthop=%defaultroute
> >     right=72.55.xxx.xxx
> >     rightid=@xxxx
> >     rightnexthop=%defaultroute
> >     esp=3des-md5-96,3des-sha1
> >     keyexchange=    ike
> >     pfs=            no
> >     auto=add
> 
> 	ike=3des-sha1-modp1024,3des-md5-modp1024
> 	esp=3des-sha1,3des-md5
> 	keyexchange=ike
> 	pfs=no
> 
> Specify the above ike and esp lines, also I'm not sure if
> the whitespace after the = on the keyexchange and pfs
> lines matters or not so I took it out.
> 
> Peter
>

More information about the Users mailing list