[Openswan Users] Juniper Openswan config issues

Peter McGill petermcgill at goco.net
Wed Jan 2 11:45:00 EST 2008 

The following log line indicates a connection settings mismatch of some kind.
What does the Juniper config look like?

> Dec 21 23:56:22 stormbringer pluto[10968]: packet from 195.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Peter McGill
 

> -----Original Message-----
> From: Ioannis Mavroukakis [mailto:imavroukakis at gameaccount.com] 
> Sent: December 21, 2007 7:14 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Juniper Openswan config issues
> 
> Ok there is one more piece missing from the puzzle, the 
> Juniper insists on aggressive mode. Having set that, I now 
> get this in the logs
> 
> Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: 
> multiple transforms were set in aggressive mode. Only first one used.
> Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: 
> transform (5,1,2,0) ignored.
> Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: 
> initiating Aggressive Mode #1, connection "databaseGib"
> Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: 
> multiple transforms were set in aggressive mode. Only first one used.
> Dec 21 23:56:22 stormbringer pluto[10968]: "databaseGib" #1: 
> transform (5,1,2,0) ignored.
> Dec 21 23:56:22 stormbringer pluto[10968]: packet from 
> 195.x.x.x:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> 
> 
> 
> 
> On Thu, 20 Dec 2007 10:58:37 -0500, "Peter McGill" 
> <petermcgill at goco.net> wrote:
> > Your firewall doesn't block or change anything, so no 
> problems there,
> > And you have a good default route.
> > 
> > Looking back at your first post, I notice this, not sure if it's a
> > problem.
> > I always use KLIPS myself, never used NETKEY so I'm not 
> sure if this is
> > correct.
> > 
> >> Dec 17 22:02:27 stormbringer ipsec_setup: KLIPS ipsec0 on eth1
> > 192.168.1.69/255.255.255.0 broadcast 192.168.1.255
> > Perhaps someone else can answer is it normal to get this 
> KLIPS message
> > when using NETKEY?
> > 
> > Also...
> > 
> >> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> > /lib/modules/2.6.22-14-generic/kernel/net/key/af_key.ko
> >> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> > /lib/modules/2.6.22-14-generic/kernel/net/ipv4/xfrm4_tunnel.ko
> >> Dec 17 22:02:27 stormbringer ipsec_setup: insmod
> > /lib/modules/2.6.22-14-generic/kernel/net/xfrm/xfrm_user.ko
> > Are these all the NETKEY modules, do any more need to be loaded?
> > 
> > Anyone else have a suggestion? I'll repeat the details so far...
> > 
> > Peter McGill
> > 
> >> -----Original Message-----
> >> From: users-bounces at openswan.org
> >> [mailto:users-bounces at openswan.org] On Behalf Of Ioannis 
> Mavroukakis
> >> Sent: December 17, 2007 5:45 PM
> >> To: users at openswan.org
> >> Subject: [Openswan Users] Juniper Openswan config issues
> >>
> >> Hello fellow listers :-) . I'm hoping to pick someones' brain
> >> about the config/connection issues I have
> >> with openswan as a client to a Juniper ns204.
> > 
> > ipsec.conf (I removed the blank lines and comments to shorten post):
> >> version 2.0
> >> config setup
> >>         interfaces=%defaultroute
> >>         nat_traversal=yes
> >> conn gib
> >>         left=%defaultroute
> >>         leftid=@myuserid
> >>         right=195.x.x.x
> >>         rightsubnet=10.x.x.x/16
> >>         auto=start
> >>         type=tunnel
> >>         authby=secret
> >>         ike=3des-md5
> >>         keyexchange=ike
> >>         pfs=no
> >>         esp=3des-md5
> >>         rekey=yes
> >> include /etc/ipsec.d/examples/no_oe.conf
> > 
> > ipsec verify:
> >> Version check and ipsec on-path                            
>      [OK]
> >> Linux Openswan U2.4.6/K2.6.22-14-generic (netkey)
> >> Checking for IPsec support in kernel                       
>      [OK]
> >> NETKEY detected, testing for disabled ICMP send_redirects  
>      [OK]
> >> NETKEY detected, testing for disabled ICMP 
> accept_redirects     [OK]
> >> Checking for RSA private key (/etc/ipsec.secrets)
> >>   [DISABLED]
> >>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> >> Checking that pluto is running                             
>      [OK]
> >> Two or more interfaces found, checking IP forwarding       
>      [OK]
> >> Checking NAT and MASQUERADEing                             
>      [OK]
> >> Checking for 'ip' command                                  
>      [OK]
> >> Checking for 'iptables' command                            
>      [OK]
> >> Opportunistic Encryption Support
> >>   [DISABLED]
> > 
> >> auth.log:Dec 18 21:54:40 stormbringer pluto[6889]: 
> "databaseGib" #1:
> > initiating Main Mode
> >>
> >> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 104
> > "databaseGib" #1: STATE_MAIN_I1: initiate
> >> daemon.log:Dec 18 21:54:40 stormbringer ipsec__plutorun: 
> ...could not
> > start conn "databaseGib"
> > 
> >> root at stormbringer:/var/log# netstat -rn
> >> Kernel IP routeing table
> >> Destination     Gateway         Genmask         Flags   
> MSS Window  irtt
> > Iface
> >> 192.168.1.0     0.0.0.0         255.255.255.0   U         
> 0 0          0
> > eth1
> >> 169.254.0.0     0.0.0.0         255.255.0.0     U         
> 0 0          0
> > eth1
> >> 0.0.0.0         192.168.1.254   0.0.0.0         UG        
> 0 0          0
> > eth1
> > 
> > To summarize the iptables rules, there are none, all policies set to
> > ACCEPT. Checked with...
> >> iptables -t filter -n -L -v
> >> iptables -t nat -n -L -v
> >> iptables -t mangle -n -L -v

More information about the Users mailing list