Re: [Users] Freeswan 1.99 to Cisco 3620

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Tue Jan 14 2003 - 20:14:12 CET

• Next message: Sean McAvoy: "[Users] Freeswan 1.99 to Cisco 3620"
• Previous message: Denning, Donald: "[Users] DHCP-OVER-IPSec HELP PLEASE ( ROAD WARRIOR VPN )"
• In reply to: Sean McAvoy: "[Users] Freeswan 1.99 to Cisco 3620"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On 14 Jan 2003, Sean McAvoy wrote:

> Hello,
> I'm having issues connecting Freeswan 1.99 to a Cisco 3620 (ios 12.2).
> The Linux system attempts to initiate the connection, and the Cisco
> returns an error of "NO_PROPOSAL_CHOSEN". I've attached the Cisco crypto
> config, Freeswan config section, and the logs of both Freeswan and Cisco
> for the connection. I think it has something to do with the Cisco not
> accepting what Freeswan is offering, but not being a Cisco person (let
> alone expert), I'm not sure.
> Any help is much appreciated.
>
>
> -Sean
>
> Cisco crypto config (the london connection is to a watchguard box):
>
> crypto isakmp policy 1
> authentication pre-share
> lifetime 28800
> crypto isakmp key toronto address 123.456.789.11
> crypto isakmp key london address 11.987.654.321
> !
> !
> crypto ipsec transform-set london esp-3des esp-sha-hmac
> crypto ipsec transform-set toronto esp-3des esp-sha-hmac

Change to esp-md5-hmac, since FreeS/WAN doesn't seem to propose this, even
tho I know you specified it in FS config like below:

> auth = esp
> esp = 3des-sha1-96
>
> END OF FREESWAN CONFIG
> --------------------------------
>
> Cisco log:
>
> 18:48:57: ISAKMP (0:30): processing SA payload. message ID = 0
> 18:48:57: ISAKMP (0:30): found peer pre-shared key matching
> 123.456.789.11
> 18:48:57: ISAKMP (0:30): Checking ISAKMP transform 0 against priority 1
> policy
> 18:48:57: ISAKMP: life type in seconds
> 18:48:57: ISAKMP: life duration (basic) of 3600
> 18:48:57: ISAKMP: encryption 3DES-CBC
> 18:48:57: ISAKMP: hash MD5
> 18:48:57: ISAKMP: auth pre-share
> 18:48:57: ISAKMP: default group 5
> 18:48:57: ISAKMP (0:30): Encryption algorithm offered does not match
> policy!

FS seems to propose MD5 first... with group 5 - Cisco not happy.

> 18:48:57: ISAKMP (0:30): atts are not acceptable. Next payload is 3
> 18:48:57: ISAKMP (0:30): Checking ISAKMP transform 1 against priority 1
> policy
> 18:48:57: ISAKMP: life type in seconds
> 18:48:57: ISAKMP: life duration (basic) of 3600
> 18:48:57: ISAKMP: encryption 3DES-CBC
> 18:48:57: ISAKMP: hash SHA
> 18:48:57: ISAKMP: auth pre-share
> 18:48:57: ISAKMP: default group 5
> 18:48:57: ISAKMP (0:30): Encryption algorithm offered does not match
> policy!

Then we try SHA1 w/Group 5 - Cisco still not happy.

> 18:48:57: ISAKMP (0:30): atts are not acceptable. Next payload is 3
> 18:48:57: ISAKMP (0:30): Checking ISAKMP transform 2 against priority 1
> policy
> 18:48:57: ISAKMP: life type in seconds
> 18:48:58: ISAKMP: life duration (basic) of 3600
> 18:48:58: ISAKMP: encryption 3DES-CBC
> 18:48:58: ISAKMP: hash MD5
> 18:48:58: ISAKMP: auth pre-share
> 18:48:58: ISAKMP: default group 2
> 18:48:58: ISAKMP (0:30): Encryption algorithm offered does not match
> policy!

Then we try MD5 w/Group 2 - Still not happy.

> 18:48:58: ISAKMP (0:30): atts are not acceptable. Next payload is 3
> 18:48:58: ISAKMP (0:30): Checking ISAKMP transform 3 against priority 1
> policy
> 18:48:58: ISAKMP: life type in seconds
> 18:48:58: ISAKMP: life duration (basic) of 3600
> 18:48:58: ISAKMP: encryption 3DES-CBC
> 18:48:58: ISAKMP: hash SHA
> 18:48:58: ISAKMP: auth pre-share
> 18:48:58: ISAKMP: default group 2
> 18:48:58: ISAKMP (0:30): Encryption algorithm offered does not match
> policy!
> 18:48:58: ISAKMP (0:30): atts are not acceptable. Next payload is 0

How about SHA w/Group 2 ? Nope.

Hm. Ensure you enable PFS group 2 in your Cisco config. I didn't see it
there, but since FS won't support group 1 (insecure) and I know that's the
Cisco default, ensure you enable group 2 (or 5, if Cisco supports it)

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We
can also factor the number 15 with a dog trained to bark
three times." -- Robert Harley, 5/12/01, Sci.crypt

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPiRhh1iWUusaxGxpAQHQMwP/Vly5QyA0N4Du44j1h97pDdhfqS/XCZ/P
NTtIsfpgbQCy4dz6mPBYCDBWNLdjfXL+7rz7bce/6cEkX0ok7x5kurhuinuecaUy
AXireFLGJ4HsXhGASRXNZ/KBKV7gAlWkAIQGtnEhacYW5bUBNaHCHnjDZ0f9D5oq
J3LXJoqlcbw=
=M3XD
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Sean McAvoy: "[Users] Freeswan 1.99 to Cisco 3620"
• Previous message: Denning, Donald: "[Users] DHCP-OVER-IPSec HELP PLEASE ( ROAD WARRIOR VPN )"
• In reply to: Sean McAvoy: "[Users] Freeswan 1.99 to Cisco 3620"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:40 CET