[Openswan Users] openswan to Watchguard aggrmode: "system too busy" [UPDATE]
David Koski
david at kosmosisland.com
Mon Jul 21 15:07:38 EDT 2008
On Wednesday 16 July 2008 16:06, David Koski wrote:
> Thank you, Paul.
>
> On Wednesday 16 July 2008 10:31, Paul Wouters wrote:
> > On Wed, 16 Jul 2008, David Koski wrote:
> > > I am getting an error when attempting to connect to a Watchguard
> > > 1200e (firmware revision 10.2): "system too busy"
> >
> > Either your system is really too busy for the crypto, or more likely this
> > is a bug.
>
> The CPU is 99 percnet idle.
>
> > > config setup
> > > interfaces="%defaultroute"
> > > nat_traversal=yes
> > > nhelpers=0
> >
> > I would have recommended trying nhelpers=0, but since you have that I'll
> > recommend commenting that out :)
>
> I tried commenting it out and now the auth log shows one record and than
> hangs:
>
> Jul 16 15:59:50 tiikeri pluto[28204]: "cni" #1: initiating Aggressive Mode
> #1, connection "cni"
>
> ..when trying:
>
> # ipsec auto --up cni
>
> Regards,
> David Koski
> david at kosmosisland.com
I enabled debugging on the Watchguard and watched the traffic from the client
to the watchguard and found there is traffic going out on port 500 when I
attempt a connection. At this time the watchguard debug log shows:
<timestamp> iked WARNING: reject phase1 agressive mode from <my_ip> to
<watchguard_ip> (no matching policy) cookies i=17becb42b4929c66 r=0..0 0..0
msg_id="0203-5040"
Also, another setting in the watchguard I don't understand:
"Virtual Adappter Settings of the Secure VPN client [Required|Preferred|
Disabled]"
Thanks in advance,
David Koski
david at kosmosisland.com
More information about the Users
mailing list