S Mohan wrote:
I'm trying to setup a VPN connection between a Win2K box and LEAF using a preshared key setup. I went as per the steps given inthe Microsoft site tosetup IPSec negotiations from IP to IP. The URL is http://http://www.microsoft.com/windows2000/techinfo/planning/security/ipsecsteps.asp and the section is Titled: Building A Custom IPSec Policy. I've established a preshared key setup between two Bering boxes. It took me just 10 minutes. Win2K had me working overtime! I've two machines with Bering on 202.91.64.139 and my Win2k box on 202.91.64.132.If I stop ipsec and unassign the IPSec policy on local machine, I'm able to ping the IP. IPSec does not go thro'. I'm giving below the information that I think is relevant. Can someone give me help on what I need to look for and do?
<snip>
[root@test01 log]ipsec barf|tail -20 Dec 28 17:22:51 test01 ipsec__plutorun: Starting Pluto subsystem... Dec 28 17:22:51 test01 pluto[6689]: Starting Pluto (FreeS/WAN Version 1.99) Dec 28 17:22:51 test01 pluto[6689]: added connection description "testroad" Dec 28 17:22:51 test01 pluto[6689]: listening for IKE messages Dec 28 17:22:51 test01 pluto[6689]: adding interface ipsec0/eth0 202.91.64.139 Dec 28 17:22:51 test01 pluto[6689]: loading secrets from "/etc/ipsec.secrets" Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: initiating Main Mode Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: ignoring Vendor ID payload Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: ISAKMP SA established Dec 28 17:22:51 test01 pluto[6689]: "testroad" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: received and ignored informational message Dec 28 17:24:01 test01 pluto[6689]: "testroad" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Dec 28 17:24:01 test01 pluto[6689]: "testroad" #2: starting keying attempt 2 of an unlimited number, but releasing whack Dec 28 17:24:01 test01 pluto[6689]: "testroad" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #2 Dec 28 17:24:01 test01 pluto[6689]: "testroad" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN Dec 28 17:24:01 test01 pluto[6689]: "testroad" #1: received and ignored informational message + _________________________ date + date Sat Dec 28 17:24:43 IST 2002If you'll accept a WAG, it looks to me like your problem is in these key log entries:
> Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> Dec 28 17:22:51 test01 pluto[6689]: "testroad" #1: received and ignored informational message
> Dec 28 17:24:01 test01 pluto[6689]: "testroad" #2: max number of retransmissions (2) reached
> STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
And now for the WAG part: Have you installed the 3DES patch on windows? FreeS/WAN will *NOT* negotiate a single DES connection, and while Windows gives you a 3DES "check-box" in all versions, you have to install a download-able patch to actually be able to *USE* 3DES, rather than simply click the radio box. You can get the MS "High-Encryption pack" here:
http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp
NOTE: The URL above came straight from the FreeS/WAN interop docs:
http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/interop.html#microsoft
You'll also find example configs and some HOWTO's for hooking MS to FreeS/WAN, which might be helpful.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
