[Openswan Users] trying to connect OpenSWAN 2.6.19 to a Netgear FVS338

Paul Wouters paul at xelerance.com
Mon May 18 21:20:29 EDT 2009

On Mon, 18 May 2009, Marcos Hacker wrote:

> Does it make a difference if we use the whack command line or ipsec.conf?
> I'm not sure why using the whack command line was chosen. It was probably
> the easier route at the time.

No it does not make a difference, though the config file seems much
easier to use according to me. Also, if the whack syntax changes, the
config file syntax will remain the same.

> If the right/Netgear certificate is not loaded on the left/Linux device
> manually, then it is not sent over (after checking ipsec auto --listall).

Not even with leftsendcert=always?

> After reading about the 3/30/09 security release, I upgraded from
> OpenSWAN 2.6.19 to 2.6.21 and can no longer get the IPSec SA established.
> If I revert back to 2.6.19, the connection establishes as expected.
> Again, in both cases, we have the public certificate from the right
> manually loaded on the left.

Odd. Can you try openswan-2.6.22dr2, and it fails, give me the output
with full pluto debug?

> pluto[177]: "vpn_tunnel" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> pluto[177]: "vpn_tunnel" #2: initiating Quick Mode
> RSASIG+ENCRYPT+COMPRESS+TUNNEL+UP {using isakmp#1 msgid:8499abd4
> proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
> pluto[177]: "vpn_tunnel" #1: ignoring informational payload, type
> NO_PROPOSAL_CHOSEN msgid=00000000

Odd, the proposal is the same, the phase1 is the same, yet the remote
rejected it. It would definately help to get both plutodebug logs
(2.6.21 and 2.6.22dr2)


More information about the Users mailing list