SonicWall does not accept the IPsec proposal sent by FreeS/WAN
during Quick mode:
> This is, what sonicwall log sais:
> 04/04/2002 12:53:30.768 - IKE Responder: IPSec proposal not acceptable
> - Source:my.public.ip - Destination:1.2.3.4 - -
>
The informational messages from SonicWall are a consequence of the
above error and should not bother you.
You must configure the same leftsubnet and rightsubnet in SonicWall.
And don't forget to activate Perfect Forward Secrecy (PFS) or
if SonicWall does not support PFS, to deactivate it in FreeS/WAN
by setting pfs=n0 in ipsec.conf.
Andreas
psnizek_at_belfin.ch wrote:
>
> Hi List users,
>
> I cannot establish a tunnel between FreeS/WAN and a Sonicwall.
>
> ipsec.conf:
> config setup
> # THIS SETTING MUST BE CORRECT or almost nothing will work;
> # %defaultroute is okay for most simple cases.
> interfaces="ipsec0=eth1"
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> #klipsdebug=none
> klipsdebug="xform spi esp ah"
> #plutodebug=none
> plutodebug="control klips emitting parsing"
> # Use auto= parameters in conn descriptions to control startup
> actions.
> plutoload=%search
> plutostart=%search
> # Close down old connection when new one using same ID shows up.
> uniqueids=yes
> #overridemtu=1500
>
> conn FreeSWAN
> type=tunnel
> authby=secret
> pfs=no
> left=192.168.1.10
> leftid=192.168.1.10
> leftsubnet=10.0.1.0/24
> leftnexthop=192.168.1.1
> leftfirewall=no
> right=1.2.3.4
> rightsubnet=10.11.12.0/24
> rightid=1.2.3.4
> rightfirewall=no
> auto=add
>
> ipsec.secrets:
> 192.168.1.10 1.2.3.4: PSK "XXXXXX"
>
> This is where it hangs:
> gateway:/etc # rcipsec start
> ipsec_setup: Starting FreeS/WAN IPsec 1.91...
> done
> gateway:/etc # ipsec auto --up FreeSWAN
> 104 "FreeSWAN" #1: STATE_MAIN_I1: initiate
> 106 "FreeSWAN" #1: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2, expecting
> MR2
> 003 "FreeSWAN" #1: ignoring Vendor ID payload
> 003 "FreeSWAN" #1: ignoring Vendor ID payload
> 108 "FreeSWAN" #1: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3, expecting
> MR3
> 004 "FreeSWAN" #1: STATE_MAIN_I4: ISAKMP SA established
> 112 "FreeSWAN" #2: STATE_QUICK_I1: initiate
> 010 "FreeSWAN" #2: STATE_QUICK_I1: retransmission; will wait 20s for
> response
>
> This is, what sonicwall log sais:
> 04/04/2002 12:53:30.768 - IKE Responder: IPSec proposal not acceptable
> - Source:my.public.ip - Destination:1.2.3.4 - -
> /var/log/messages
> Apr 4 11:55:57 gateway Pluto[21326]: | *time to handle event
> Apr 4 11:55:57 gateway Pluto[21326]: | event after this is EVENT_SHUNT_SCAN
> in 83 seconds
> Apr 4 11:55:57 gateway Pluto[21326]: | handling event EVENT_RETRANSMIT for
> 195.130.168.19 "FreeSWAN" #2
> Apr 4 11:55:57 gateway Pluto[21326]: | inserting event EVENT_RETRANSMIT,
> timeout in 40 seconds for #2
> Apr 4 11:55:57 gateway Pluto[21326]: | next event EVENT_RETRANSMIT in 40
> seconds for #2
> Apr 4 11:55:57 gateway Pluto[21326]: |
> Apr 4 11:55:57 gateway Pluto[21326]: | *received 252 bytes from
> 195.130.168.19:500 on eth1
> Apr 4 11:55:57 gateway Pluto[21326]: | **parse ISAKMP Message:
> Apr 4 11:55:57 gateway Pluto[21326]: | initiator cookie:
> Apr 4 11:55:57 gateway Pluto[21326]: | f6 b2 30 53 82 6d ce 02
> Apr 4 11:55:57 gateway Pluto[21326]: | responder cookie:
> Apr 4 11:55:57 gateway Pluto[21326]: | 3d 82 3c a8 d4 90 c7 1c
> Apr 4 11:55:57 gateway Pluto[21326]: | next payload type: ISAKMP_NEXT_D
> Apr 4 11:55:57 gateway Pluto[21326]: | ISAKMP version: ISAKMP Version
> 1.0
> Apr 4 11:55:57 gateway Pluto[21326]: | exchange type: ISAKMP_XCHG_INFO
> Apr 4 11:55:57 gateway Pluto[21326]: | flags: none
> Apr 4 11:55:57 gateway Pluto[21326]: | message ID: 49 b4 e5 e7
> Apr 4 11:55:57 gateway Pluto[21326]: | length: 252
> Apr 4 11:55:57 gateway Pluto[21326]: | ICOOKIE: f6 b2 30 53 82 6d ce 02
> Apr 4 11:55:57 gateway Pluto[21326]: | RCOOKIE: 3d 82 3c a8 d4 90 c7 1c
> Apr 4 11:55:57 gateway Pluto[21326]: | peer: c3 82 a8 13
> Apr 4 11:55:57 gateway Pluto[21326]: | state hash entry 20
> Apr 4 11:55:57 gateway Pluto[21326]: | state object #1 found, in
> STATE_MAIN_I4
> Apr 4 11:55:57 gateway Pluto[21326]: "FreeSWAN" #1: Informational Exchange
> message for an established ISAKMP SA must be encrypted
>
> If I understand that correctly (I'm still new to the whole vpn stuff),
> freeswan isn't accepting unencrypted informational messages. I thought
> freeswan would ignore infomrational messages.
>
> Versions:
> freeswan 1.91
> kernel 2.4.4
>
> If somebody please could give me a hint what to do, I'd be very grateful. If
> you need further information, please let me know.
>
> thanks
> Philipp
>
======================================================================
Andreas Steffen e-mail: andreas.steffen_at_strongsec.com
strongSec GmbH phone: +41 76 340 25 56
Alter Zürichweg 20 home: http://www.strongsec.com
CH-8952 Schlieren (Switzerland)
==========================================[strong internet security]==
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:48 CEST