Hello Daniel, These are the Watchgard Edge logs... I don't know if have something usefull:
This are the logs when I start ipsec: Mar 17 11:26:46 iked FROM 200.111.111.111 QM-HDR* -411A2BF4 ISA_HASH ISA_SA ISA_NONCE ISA_KE ISA_ID ISA_ID Mar 17 11:26:44 iked Quick Mode processing failed Mar 17 11:26:44 iked TO 200.111.111.111 IF-HDR* -A11C7729 ISA_HASH ISA_NOTIFY Mar 17 11:26:44 iked Sending INVALID_ID_INFO message Mar 17 11:26:44 iked get_ipsec_pref: Unable to find channel info for remote(200.111.111.111) Mar 17 11:26:43 iked FROM 200.111.111.111 QM-HDR* -BEB2DDCD ISA_HASH ISA_SA ISA_NONCE ISA_KE ISA_ID ISA_ID Mar 17 11:26:43 iked TO 200.111.111.111 MM-HDR* ISA_ID ISA_HASH Mar 17 11:26:43 iked FROM 200.111.111.111 MM-HDR* ISA_ID ISA_HASH Mar 17 11:26:43 iked CRYPTO ACTIVE after delay Mar 17 11:26:43 iked TO 200.111.111.111 MM-HDR ISA_KE ISA_NONCE Mar 17 11:26:42 iked FROM 200.111.111.111 MM-HDR ISA_KE ISA_NONCE Mar 17 11:26:42 iked TO 200.111.111.111 MM-HDR ISA_SA Mar 17 11:26:42 iked Rejecting peer DPD request: not configured Mar 17 11:26:42 iked Rejecting peer XAUTH request: not configured Mar 17 11:26:42 iked FROM 200.111.111.111 MM-HDR ISA_SA ISA_VENDORID ISA_VENDORID ISA_VENDORID These are the logs after: Mar 17 11:31:56 iked TO 200.111.111.111 IF-HDR ISA_NOTIFY Mar 17 11:31:56 iked Sending INVALID_COOKIE message Mar 17 11:31:56 iked Received a packet for an unknown SA Mar 17 11:31:56 iked FROM 200.111.111.111 QM-HDR* -573207E7 ISA_HASH Mar 17 11:31:53 iked TO 200.111.111.111 IF-HDR ISA_NOTIFY Mar 17 11:31:53 iked Sending INVALID_COOKIE message Mar 17 11:31:53 iked Received a packet for an unknown SA I changed the configs you suggested, but still no connection... Also... corrected the Diffie Helman group! any help will be really apreciated!!! Thanks in advance!!! 2009/3/17 Daniel Mentz <danielml+mailinglists.strongs...@sent.com<danielml%2bmailinglists.strongs...@sent.com> > > Tica wrote: > >> I changed the watchguard edge configuration. but I'm getting this >> message: max number of retransmissions (2) reached STATE_QUICK_I1. No >> acceptable response to our first Quick Mode message: perhaps peer likes no >> proposal >> > > Can you provide us with the logfiles of the Watchguard Edge? They might > contain valuable information about why it rejected the proposal. > > Diffie-Helman Group: 2 >> > > This is equivalent to modp1024, isn't it? > > conn vpntest >> keyexchange=ikev1 >> ike=aes256-sha-modp1536 >> pfs=yes >> pfsgroup=modp1536 >> esp=aes256-sha1-modp1536 >> compress=no >> authby=secret >> left=200.111.111.111 >> leftsubnet=10.10.10.0/24 >> leftfirewall=yes >> lefthostaccess=yes >> right=200.222.222.222 >> rightsubnet=192.168.10.0/24 >> auto=start >> > > Try > pfsgroup=modp1024 > esp=aes256-sha1 > > The traffic selector which is > 10.10.10.0/24 <=> 192.168.10.0/24 > is IMHO also part of the proposal. Does this match with the configuration > on the peer? > > Also, is the peer configured to use ESP in tunnel mode? > > Daniel > > -- Tica ;-) _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users