[Openswan Users] Problem with PSK andOAKLEY_AUTHENTICATION_METHOD
Peter McGill
petermcgill at goco.net
Thu Mar 20 16:46:10 EDT 2008
The two endpoints do not aggree on acceptable settings.
Probably the other end is trying to use DES encryption
With Diffie Hellman (DH) group 1 (768 bit modp).
Openswan won't allow this because it's a broken method.
Change the other side to use 3DES or AES encryption,
With md5 or sha1 dh group 2 or 5 (1024 or 1536 bit).
You can match openswan settings exactly with remote end
By specifying for example:
ike=3des-md5-modp1024
esp=3des-md5
Also make sure the other end has aggressive mode off,
And perfect forward secrecy on.
Peter McGill
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Joshua Lenmarc
> Sent: March 20, 2008 4:34 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Problem with PSK
> andOAKLEY_AUTHENTICATION_METHOD
>
> Same problem here. I get the following error. Any hints? Thanks!
>
> 112 "casc" #6: STATE_AGGR_I1: initiate
> 003 "casc" #6: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
> 003 "casc" #6: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "casc" #6: received Vendor ID payload [XAUTH]
> 003 "casc" #6: Can't authenticate: no preshared key found for `@plap'
> and `@Cas-Datacenter'. Attribute OAKLEY_AUTHENTICATION_METHOD
> 003 "casc" #6: no acceptable Oakley Transform
> 214 "casc" #6: STATE_AGGR_I1: NO_PROPOSAL_CHOSEN
>
> <kay at decna.no> wrote on "Fri Jul 23 00:30:37 CEST 2004":
> >
> > Hello
> >
> > I'm trying to connect to a Sonicwall TZ170 with Openswan
> 2.1.3 under Debian.
> >
> > 104 "fswn-swll" #9: STATE_MAIN_I1: initiate
> > 003 "fswn-swll" #9: Can't authenticate: no preshared key found for
> > `local-ip' and `remote-ip'. Attribute OAKLEY_AUTHENTICATION_METHOD
> > 003 "fswn-swll" #9: no acceptable Oakley Transform
> > 214 "fswn-swll" #9: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN
> >
> > On the sonicwall the logs just say that the remote timed out.
> >
> > My ipsec.conf
> >
> > version 2.0
> >
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > conn fswn-swll
> > type=tunnel
> > auth=esp
> > authby=secret
> > keyingtries=0
> > ikelifetime=28800
> > keylife=5h
> > disablearrivalcheck=no
> > left=local-ip
> > leftsubnet=local-net/24
> > right=remote-ip
> > rightsubnet=remote-net/26
> > auto=add
> >
> > my ipsec.secrets
> >
> > local-ip remote-ip : PSK "mypsk"
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list