[strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1

Andreas Steffen andreas.steffen at strongswan.org
Thu Mar 4 07:05:54 CET 2010 

Hello Jana,

the log entry:

ignoring informational payload, type NO_PROPOSAL_CHOSEN

means that the CheckPoint box does not like your proposal.
Is it really configuredd to do XAUTH with certificate-based
mutual authentication?

Regards

Andreas

Sucha Singh wrote:
> Hi All,
> 
> Thanks Martin, I've made some more progress, I am now getting the following error when I run "ipsec up test":
> 
> 002 "test" #2: initiating Main Mode
> 104 "test" #2: STATE_MAIN_I1: initiate
> 003 "test" #2: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "test" #2: STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "test" #2: max number of retransmissions (2) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> 
> My ipsec.conf now looks like this:
> 
> # ipsec.conf - strongSwan IPsec configuration file
> 
> # basic configuration
> 
> config setup
>     plutostart=yes
>     nat_traversal=yes
>     plutodebug=all
> 
> # Add connections here.
> 
> conn test
>        auto=add
>        authby=xauthrsasig
>        forceencaps=yes
>        keyexchange=ikev1
>        keyingtries=1
>        type=tunnel
>        xauth=client
>        right=<IP address of CheckPoint VPN>
>        left=<IP address of my laptop>
> 
> # include /var/lib/strongswan/ipsec.conf.inc
> 
>>From what sense I can make from the error, I assume it means that my client request has reached the VPN gateway, but the authentication/encryption protocols don't match?
> 
> I sincerely appreciate the help you guys are providing.
> 
> Regards,
> 
> Jana
> 
> --- On Wed, 3/3/10, Martin Willi <martin at strongswan.org> wrote:
> 
> From: Martin Willi <martin at strongswan.org>
> Subject: Re: [strongSwan] Please help - Using strongSwan to connect to CheckPoint VPN-1
> To: "Sucha Singh" <soorma_j4tt at yahoo.co.uk>
> Cc: "Daniel Mentz" <danielml+mailinglists.strongswan at sent.com>, users at lists.strongswan.org
> Date: Wednesday, 3 March, 2010, 7:32
> 
> Hi,
> 
>> conn test
>>         authby=xauthrsasig
>>         forceencaps=yes
>>         keyexchange=ikev1
>>         keyingtries=1
>>         type=tunnel
>>         xauth=client
>>         right=<CheckPoint VPN Firewall IP Address>
>>         leftsourceip=%modeconfig
> 
>> ipsec up test
>> 021 no connection named "test"
> 
> You additionally need the "auto" parameter. auto=add loads the
> configuration to the IKE daemon. auto=start additionally starts the
> connection automatically. man ipsec.conf for details.
> 
> Regards
> Martin

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list