-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 30 Jul 2003, Jim Morgan wrote: > I've been trying to get a FreeSwan box to connect to a Juniper router for > the last few days. I've got it to complete the IKE negotiation, but when it > gets to the IPsec negotiation it fails with NO_PROPOSAL_CHOSEN. This, I > believe is a message sent back from the Juniper side of the connection, > saying it doesn't like the suggestions Freeswan made for connecting. > However it isn't very specific about exactly _what_ it doesn't like. You would find that information in the Juniper logs. Don't ask me where. ;) If you can track it down > The setup: > ========== > FreeswanBox > 10.10.10.20 > I > I > 10.10.10.1 > NATFirewall > 123.123.123.123 (dynamically assigned through PPOE) > I > I > internet > I > I > 234.234.234.234 > Juniper > I > I > 192.168.34.45/32 > TargetMachine I can't say that I was able to find any examples of Juniper-FreeS/WAN configs, and without having a look at the Juniper logs, most of this advice will be theory. 1) You've got "keylife=5m" specified in the FreeS/WAN config, but lifetime-seconds 7200; in the ipsec portion of the Juniper config. Shouldn't keylife be set to 2h instead? (or lifetime-seconds 300;) These interop situations can be a bit finicky. 2) In the verbose "plutodebug"ing output, can you confirm whether we do offer esp-sha1-3des? 3) You've got NAT involved. If this were a FreeS/WAN to FreeS/WAN configuration failing with one party behind NAT, one of the culprits would be that the NAT'ted IP address isn't "authorized". NAT'ted FreeS/WAN would attempt to negotiate a tunnel for its own private IP address, which would be rejected by its peer. One of the solutions in that scenario is to statically configure the private IP address as one of the authorized subnets (ie, rightsubnet=10.10.10.20/32 or the like.) Might something similar apply here? - -- Sam Sgro [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: For the matching public key, finger the Reply-To: address. iQCVAwUBPyoBXkOSC4btEQUtAQEFFAP+ISrjR3zxAoE8ReASpygdHx1kYhAd6nue PJa2HOS5I7oKw889fuCtZ6Q2rr9ERAgRCeMrtDuvyGuHYItElzyfXqXoL6/9TLM+ Wo6xYMDaa0nlat+raIOqZIyvbt7HVxXmWo8d9mIwWTHmW4xoVtmgCdpL2hyoQs1X N88hu8A3yXc= =8R3P -----END PGP SIGNATURE-----
