[Openswan Users] Problem with PSK andOAKLEY_AUTHENTICATION_METHOD

Peter McGill petermcgill at goco.net
Thu Mar 20 16:46:10 EDT 2008 

The two endpoints do not aggree on acceptable settings.
Probably the other end is trying to use DES encryption
With Diffie Hellman (DH) group 1 (768 bit modp).
Openswan won't allow this because it's a broken method.
Change the other side to use 3DES or AES encryption,
With md5 or sha1 dh group 2 or 5 (1024 or 1536 bit).

You can match openswan settings exactly with remote end
By specifying for example:
	ike=3des-md5-modp1024
	esp=3des-md5

Also make sure the other end has aggressive mode off,
And perfect forward secrecy on.

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Joshua Lenmarc
> Sent: March 20, 2008 4:34 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Problem with PSK 
> andOAKLEY_AUTHENTICATION_METHOD
> 
> Same problem here. I get the following error. Any hints? Thanks!
> 
> 112 "casc" #6: STATE_AGGR_I1: initiate
> 003 "casc" #6: received Vendor ID payload 
> [draft-ietf-ipsec-nat-t-ike-00]
> 003 "casc" #6: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 "casc" #6: received Vendor ID payload [XAUTH]
> 003 "casc" #6: Can't authenticate: no preshared key found for `@plap'
> and `@Cas-Datacenter'. Attribute OAKLEY_AUTHENTICATION_METHOD
> 003 "casc" #6: no acceptable Oakley Transform
> 214 "casc" #6: STATE_AGGR_I1: NO_PROPOSAL_CHOSEN
> 
> <kay at decna.no> wrote on "Fri Jul 23 00:30:37 CEST 2004":
> >
> > Hello
> >
> > I'm trying to connect to a Sonicwall TZ170 with Openswan 
> 2.1.3 under Debian.
> >
> > 104 "fswn-swll" #9: STATE_MAIN_I1: initiate
> > 003 "fswn-swll" #9: Can't authenticate: no preshared key found for
> > `local-ip' and `remote-ip'.  Attribute OAKLEY_AUTHENTICATION_METHOD
> > 003 "fswn-swll" #9: no acceptable Oakley Transform
> > 214 "fswn-swll" #9: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN
> >
> > On the sonicwall the logs just say that the remote timed out.
> >
> > My ipsec.conf
> >
> > version 2.0
> >
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > conn fswn-swll
> >         type=tunnel
> >         auth=esp
> >         authby=secret
> >         keyingtries=0
> >         ikelifetime=28800
> >         keylife=5h
> >         disablearrivalcheck=no
> >         left=local-ip
> >         leftsubnet=local-net/24
> >         right=remote-ip
> >         rightsubnet=remote-net/26
> >         auto=add
> >
> > my ipsec.secrets
> >
> > local-ip remote-ip : PSK "mypsk"
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list