[Openswan Users] xauth
Paul Wouters
paul at xelerance.com
Tue Jun 23 17:12:33 EDT 2009
On Tue, 23 Jun 2009, Jon James wrote:
> Could anyone tell me if automated rekeying with Xauth actually works?
It should work.
> I initiate the tunnel by hand using whack and all goes well.
>
> The ike (phase2) rekeying works however when it comes time to rekey the phase1 with xauth the tunnel fails
> Fortigate Config phase1
> Jun 23 13:32:36 claimtools pluto[15665]: packet from x.x.x.x:4500: received and ignored informational message
> Jun 23 13:32:36 claimtools pluto[15665]: "home" #1: received Delete SA payload: deleting ISAKMP State #1
> Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: sending notification NO_PROPOSAL_CHOSEN to x.x.x.x:4500
> Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: no acceptable Oakley Transform
> Jun 23 13:32:30 claimtools pluto[15665]: "home" #8: policy mandates Extended Authentication (XAUTH) with PSK of responder (we
> are responder). Attribute OAKLEY_AUTHENTICATION_METHOD
Looks like there is confusion over whether xauth is needed?
> Jun 23 13:32:22 claimtools pluto[15665]: "home" #7: responding to Main Mode
So the other end is responding to you? Which end is the client? Only that end you rekey. The server side
should have rekey=no (because you cannot rekey to dynamic ips, you don't know where they are)
Paul
More information about the Users
mailing list