[Openswan Users] Aggressive Mode Not Working?

Chris Zimmerman czimmer at wczimmerman.dyndns.org
Tue Aug 12 22:36:25 EDT 2008 

I have been trying to setup a tunnel between Linux and a Watchguard device
for some time now.

My specs:

Linux=Ubuntu Gutsy with OpenSWAN 2.4.6 (from the respositories)
Watchguard=Firebox running 10.2

I can successfully build a Main Mode tunnel and ping across.  My need is for
a tunnel when I'm on the road, hence the need for Aggressive mode.  If I
duplicate my settings from main mode on both ends but change to use
aggressive mode the tunnel times out in the build.  I have a snippet below
for what I think may be part of the cause, but I don't know what to make of
it.

Aug 12 19:22:09 zp1 pluto[29197]: "watchguard-mobile" #1: initiating
Aggressive Mode #1, connection "watchguard-mobile"
Aug 12 19:22:09 zp1 pluto[29197]: | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
Aug 12 19:22:09 zp1 pluto[29197]: | asking helper 0 to do build_kenonce op
on seq: 1
Aug 12 19:22:09 zp1 pluto[29197]: | inserting event EVENT_CRYPTO_FAILED,
timeout in 300 seconds for #1
Aug 12 19:22:09 zp1 pluto[29234]: ! helper -1 doing build_kenonce op id: 1
Aug 12 19:22:09 zp1 pluto[29197]: | next event EVENT_PENDING_PHASE2 in 113
seconds

Here's my ipsec.conf:

config setup
        plutodebug="all"
        klipsdebug="all"
        #nhelpers=0
        #nocrsend=yes
        #uniqueids=yes
        #nat_traversal=yes

# Add connections here

conn watchguard-mobile
 type=tunnel
 left=%defaultroute
 leftid=mobile.mydomain.com
 right=<external IP>
 rightid=<ID>
 rightsubnet=<right subnet>
 keyexchange=ike
 pfs=no
 aggrmode=yes
 auto=add
 auth=esp
 ike=3des-sha1-modp1024
 esp=3des-sha1
 authby=secret
 modecfgpull=no
 compress=no
 keyingtries=%forever


#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf


In my main mode config, I have NAT-T enabled because I'm behind a firewall.
For my mobile config, I'm using an cellular aircard, so NAT-T is disabled on
both ends.

ANY assistance would be appreciated!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080812/b6d1a4a7/attachment.html

More information about the Users mailing list