Re: [strongSwan] Watchguard Edge - StrongSwan
Hi Andreas, Sorry... I'm really new to VPN configuration... I changed the watchguard edge configuration. but I'm getting this message: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal These are the new watchguard configs Phase 1 Settings: Mode: Main Mode Authentication Algorithm: SHA1-HMAC Encryption Algorithm: AES (256) Diffie-Helman Group: 2 Phase 2 Settings: Authentication Algorithm: SHA1-HMAC Encryption Algorithm: AES (256) Enable PFS This is the conn at ipsec.conf: conn vpntest keyexchange=ikev1 ike=aes256-sha-modp1536 pfs=yes pfsgroup=modp1536 esp=aes256-sha1-modp1536 compress=no authby=secret left=200.111.111.111 leftsubnet=10.10.10.0/24 leftfirewall=yes lefthostaccess=yes right=200.222.222.222 rightsubnet=192.168.10.0/24 auto=start What could be wrong in the configs above? Thanks in advance for your help! :) 2009/3/17 Andreas Steffen andreas.stef...@strongswan.org strongSwan does *not* support IKEv1 Aggressive Mode - otherwise we would have named the project weakSwan! Best regards Andreas Tica wrote: Hello all, I'm really new to Strongwan!! Is it possible to connect Watchguard Edge to Strongswan? I'm asking this because I'm having huge headaches here trying to establish a VPN between these two systems. The biggest problem is that I can't change the watchguard edge's configuration... and I already tried (without success) a lot of configurations in ipsec.conf. These are the watchguard configurations: Phase 1 Settings Mode: Agressive Mode Authentication Algorithm: SHA1-HMAC Encryption Algorithm: DES-CBC Diffie-Helman Group: 1 Phase 2 Settings Authentication Algorithm: SHA1-HMAC Encryption Algorithm: DES-CBC Enable PFS Please... what should be the correct configuration to ipsec.conf ?? keyexchange=ikev1 esp= ? pfs=yes pfsgroup= ? compress=no authby=secret ike= ? Any help will be really apreciated!! Thanks in advance to you all! -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- Tica ;-) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Watchguard Edge - StrongSwan
Tica wrote: I changed the watchguard edge configuration. but I'm getting this message: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Can you provide us with the logfiles of the Watchguard Edge? They might contain valuable information about why it rejected the proposal. Diffie-Helman Group: 2 This is equivalent to modp1024, isn't it? conn vpntest keyexchange=ikev1 ike=aes256-sha-modp1536 pfs=yes pfsgroup=modp1536 esp=aes256-sha1-modp1536 compress=no authby=secret left=200.111.111.111 leftsubnet=10.10.10.0/24 leftfirewall=yes lefthostaccess=yes right=200.222.222.222 rightsubnet=192.168.10.0/24 auto=start Try pfsgroup=modp1024 esp=aes256-sha1 The traffic selector which is 10.10.10.0/24 = 192.168.10.0/24 is IMHO also part of the proposal. Does this match with the configuration on the peer? Also, is the peer configured to use ESP in tunnel mode? Daniel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Watchguard Edge - StrongSwan
Hello Daniel, These are the Watchgard Edge logs... I don't know if have something usefull: This are the logs when I start ipsec: Mar 17 11:26:46 iked FROM 200.111.111.111 QM-HDR* -411A2BF4 ISA_HASH ISA_SA ISA_NONCE ISA_KE ISA_ID ISA_ID Mar 17 11:26:44 iked Quick Mode processing failed Mar 17 11:26:44 iked TO 200.111.111.111 IF-HDR* -A11C7729 ISA_HASH ISA_NOTIFY Mar 17 11:26:44 iked Sending INVALID_ID_INFO message Mar 17 11:26:44 iked get_ipsec_pref: Unable to find channel info for remote(200.111.111.111) Mar 17 11:26:43 iked FROM 200.111.111.111 QM-HDR* -BEB2DDCD ISA_HASH ISA_SA ISA_NONCE ISA_KE ISA_ID ISA_ID Mar 17 11:26:43 iked TO 200.111.111.111 MM-HDR* ISA_ID ISA_HASH Mar 17 11:26:43 iked FROM 200.111.111.111 MM-HDR* ISA_ID ISA_HASH Mar 17 11:26:43 iked CRYPTO ACTIVE after delay Mar 17 11:26:43 iked TO 200.111.111.111 MM-HDR ISA_KE ISA_NONCE Mar 17 11:26:42 iked FROM 200.111.111.111 MM-HDR ISA_KE ISA_NONCE Mar 17 11:26:42 iked TO 200.111.111.111 MM-HDR ISA_SA Mar 17 11:26:42 iked Rejecting peer DPD request: not configured Mar 17 11:26:42 iked Rejecting peer XAUTH request: not configured Mar 17 11:26:42 iked FROM 200.111.111.111 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID These are the logs after: Mar 17 11:31:56 iked TO 200.111.111.111 IF-HDR ISA_NOTIFY Mar 17 11:31:56 iked Sending INVALID_COOKIE message Mar 17 11:31:56 iked Received a packet for an unknown SA Mar 17 11:31:56 iked FROM 200.111.111.111 QM-HDR* -573207E7 ISA_HASH Mar 17 11:31:53 iked TO 200.111.111.111 IF-HDR ISA_NOTIFY Mar 17 11:31:53 iked Sending INVALID_COOKIE message Mar 17 11:31:53 iked Received a packet for an unknown SA I changed the configs you suggested, but still no connection... Also... corrected the Diffie Helman group! any help will be really apreciated!!! Thanks in advance!!! 2009/3/17 Daniel Mentz danielml+mailinglists.strongs...@sent.comdanielml%2bmailinglists.strongs...@sent.com Tica wrote: I changed the watchguard edge configuration. but I'm getting this message: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal Can you provide us with the logfiles of the Watchguard Edge? They might contain valuable information about why it rejected the proposal. Diffie-Helman Group: 2 This is equivalent to modp1024, isn't it? conn vpntest keyexchange=ikev1 ike=aes256-sha-modp1536 pfs=yes pfsgroup=modp1536 esp=aes256-sha1-modp1536 compress=no authby=secret left=200.111.111.111 leftsubnet=10.10.10.0/24 leftfirewall=yes lefthostaccess=yes right=200.222.222.222 rightsubnet=192.168.10.0/24 auto=start Try pfsgroup=modp1024 esp=aes256-sha1 The traffic selector which is 10.10.10.0/24 = 192.168.10.0/24 is IMHO also part of the proposal. Does this match with the configuration on the peer? Also, is the peer configured to use ESP in tunnel mode? Daniel -- Tica ;-) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Watchguard Edge - StrongSwan
Tica wrote: Mar 17 11:26:44 iked get_ipsec_pref: Unable to find channel info for remote(200.111.111.111) Hi Tica, this seems to be the most important message to me: Unable to find channel info for remote(200.111.111.111) I did a web search and found an entry in some forum. Somebody was getting the same error message. The response was: Did you set up a gateway then a channel (or tunnel) for the gateway and finally, as asked above, a routing policy for the channel on the firebox? The way in which you configure an IPsec gateway differs from product to product. I guess for Watchguard you have to set up a gateway and one or more tunnels for each gateway. I checked the web for a user manual for Watchguard but I didn't find a decent one. Can you send a link for the user manual? Or maybe you can post a screenshot of the configuration GUI. I guess you're missing some parameters on the Watchguard. Did you explicitly specify 10.10.10.0/24 = 192.168.10.0/24 somewhere in the Watchguard config? Daniel ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Watchguard Edge - StrongSwan
Hello all, I'm really new to Strongwan!! Is it possible to connect Watchguard Edge to Strongswan? I'm asking this because I'm having huge headaches here trying to establish a VPN between these two systems. The biggest problem is that I can't change the watchguard edge's configuration... and I already tried (without success) a lot of configurations in ipsec.conf. These are the watchguard configurations: Phase 1 Settings Mode: Agressive Mode Authentication Algorithm: SHA1-HMAC Encryption Algorithm: DES-CBC Diffie-Helman Group: 1 Phase 2 Settings Authentication Algorithm: SHA1-HMAC Encryption Algorithm: DES-CBC Enable PFS Please... what should be the correct configuration to ipsec.conf ?? keyexchange=ikev1 esp= ? pfs=yes pfsgroup= ? compress=no authby=secret ike= ? Any help will be really apreciated!! Thanks in advance to you all! -- Tica ;-) ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users