Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] FreeSwan<->SoftRemote v8 connectivity problem (probably applicabl e more generally): SOLUTION

From: Moray McConnachie (mmcconna_at_oxford-analytica.com)
Date: Thu May 02 2002 - 16:48:17 CEST

Next message: John D. Hardin: "Re: [Users] Re: Why does FreeSwan care about NAT? Was: Re: a "no suitable connection for peer" error"
Previous message: David Correa: "[Users] IPSec link established, but can not ping"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

No doubt I should have come to the list while I still had the problem, but I
think I have a solution for the problem described at

http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/interop.html

at least for some people. I had the problem using both SoftRemote v 8.x and
SSH Sentinel, despite following guides from manufacturers/some of the people
who've had the goodwill to put together config guides.

If you are using a Windows software client and your solution only works from
the freeswan side, and if you turn on all pluto logging at the freeswan end,
and see the message "No acceptable Oakley transform" in your logs, then this
may apply to you.

"No acceptable Oakley transform" appears to mean that Freeswan cannot find
an appropriate key or certificate in the ipsec.secrets file. Certain
software clients appear to provide non-obvious defaults for the identity
details they provide to Freeswan.

Take for example, SoftRemote 8.0. If you look at the identity page, it has
an option to select the type of identity provided. For pre-shared key
exchanges, the only available option is IP address. The default in all cases
is IP address. If you select IP address, you can also select which network
adaptor the connection applies to. The default is "Any adaptor", under which
the IP address is represented as Any. I don't know what the client finally
sends to FreeSwan, but whatever it is does not match the %Any keyword or any
IP address. YOU MUST SET THE ADAPTOR MANUALLY TO WHICHEVER NETWORK ADAPTOR
YOUR CONNECTION TO FREESERVE WILL GO OUT ON, in which case it will send its
IP address as it exchanges with Freeswan, and this will match %Any or the
usual IP details.

I believe my problem with SSH sentinel was similar, although I have not
revisited it to check.

Now my only problem is to persuade one of these companies to sell me a few
licenses at a decent price - unless anyone knows of a cheap alternative
which is available separately? I must be able to use it for commercial
purposes, but our budget is not large.

By the way, I tried to subscribe to this list a couple of hours ago with
no response, automated or otherwise, yet.

Yours,
Moray

------------------------------------
Moray McConnachie, IT Manager
Oxford Analytica http://www.oxan.com
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: John D. Hardin: "Re: [Users] Re: Why does FreeSwan care about NAT? Was: Re: a "no suitable connection for peer" error"
Previous message: David Correa: "[Users] IPSec link established, but can not ping"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST