Hi Claudia,
I recently installed FW-1 NG FP1 (finally with 3DES support!) and continued
my interoperability test with FreeS/WAN.
Starting FreeS/WAN, now I can see the 3 rows below in FW-1 log:
Action - Source - Destination - Info
key install - FreeS/WAN-gw - FW1 - IKE: Main Mode completion.
key install - FreeS/WAN-gw - FW1 - IKE: Quick Mode Sent Notification:
Responder Lifetime
key install - FreeS/WAN-gw - FW1 - IKE: Quick Mode completion IKE IDs:
subnet: <net-behind-fw-1> (mask=255.255.255.0) and subnet
<net-behind-FreeS/WAN> (mask=255.255.255.0)
but then I'm unable to see anything in logs and nothing works (ping, telnet,
FTP, etc.)
Which phase of IKE negotiation am I?
May you give me some other good suggestion?
Thanks in advance
Domenico Viggiani
> -----Original Message-----
> From: Claudia Schmeing [mailto:claudia_at_freeswan.org]
> Sent: Tuesday, February 26, 2002 5:13 AM
> To: users_at_lists.freeswan.org
> Cc: Mimmus
> Subject: Re: [Users] no proposal chosen <Phase2 stage1>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Hi Domenico,
>
>
> You write,
>
> > during my various attempts to test interoperability between
> FreeS/WAN and
> > Checkpoint FW-1, in a classical configuration
> subnet-to-subnet, I was unable
> > to setup a tunnel and I got these errors in FW-1 logs:
> >
> > IKE log: no proposal chosen <Phase2 stage1> Negotiation
> id: 34d90033d
>
> When Linux FreeS/WAN says "no proposal chosen" it is basically the
> "no acceptable transform" error seen from the other side. That is
> discussed at doc/faq.html#notransform . I would assume that
> your error,
> above, means the same thing.
>
>
> > I suppose that our FW-1 license is only for DES encryption
> not 3DES and I
> > know FreeS/WAN choices about DES/3DES.
>
> The problem you see certainly could be caused if the FW1 is configured
> to accept DES and not 3DES. It could also be a different configuration
> error, having to do with, for example, the hash algorithms.
>
> Can you double check the terms of your Checkpoint license?
> Does that interface
> allow you to choose 3DES? If this is the problem, is it
> possible for you
> to get a 3DES add-on?
>
> You can get information about what Linux FreeS/WAN proposes from:
> * doc/interop.html
> * doc/compat.html#spec
> * your logfiles. You may need to set plutodebug=all to see this.
>
> We accept the same things we propose.
>
> One way to get information about what the Checkpoint is accepting is
> to look at your settings there. That may provide enough
> information to define
> your problem.
>
> Can you get more information from the Checkpoint logs on why
> Checkpoint
> doesn't like any of our proposals? If you cannot, you may like to try
> the following trick. If you have easy access to both machines
> it is a fairly
> simple technique that may yield useful information when you
> have a hard time
> finding that information in other ways. It goes like this:
>
> Reverse the polarity -- that is, initiate from the
> Checkpoint. This
> will most likely cause the error to occur on the Linux
> end where there
> is detailed error reporting. If you are testing with a
> Linux Road Warrior,
> you will need to pretend it is fixed-ip so that the
> Checkpoint can find
> it.
>
> Initiate from the Checkpoint, fail (presumably), and check the
> Linux FreeS/WAN logs for evidence of the contents of the
> Checkpoint
> proposals. This will yield useful information, more so *if* the
> Checkpoint accepts exactly the same things as it
> proposes. That's a
> logical thing for an IPSec implementation to do, but it's
> not always done.
>
> Once you see the error, you'll have a specific idea of
> what's going
> wrong. If the error is to do with single DES, you'll see an error
> message as described in doc/faq.html#noDESsupport . Once the error
> is narrowed down, you can try to alter the Checkpoint settings
> based on this knowledge, so they produce a proposal that
> Linux FreeS/WAN
> likes.
>
> Once you've successfully altered the settings so that the
> connection
> is made, restart each end, switching the polarity back.
> Let Linux FreeS/WAN try to start the connection, and see if your
> fix does the trick.
>
> Best of luck troubleshooting.
>
>
>
> Cheers,
>
> Claudia
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
>
> iQCVAwUBPHsLHHDIYXPDEHodAQFF8wQAuCss9H+vFu/joTBUOr+ARJ1YHvIFf/zg
> 2ps4CQNSyDkXz5BZIwI+aGUI95WjPrJ1ueqvs1ZImoOg2BWoh5FwnTAHMg7gc6+1
> 1oNn3znX604Z+K5KQTdo06qWQGo7tz2VcQJYDQzgOTNsgwyU0xE2kV5cdIK/JqRd
> NFZtS4X1eoA=
> =EzWH
> -----END PGP SIGNATURE-----
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:56 CEST