I've been trying to get a FreeSwan box to connect to a Juniper router for the last few days. I've got it to complete the IKE negotiation, but when it gets to the IPsec negotiation it fails with NO_PROPOSAL_CHOSEN. This, I believe is a message sent back from the Juniper side of the connection, saying it doesn't like the suggestions Freeswan made for connecting. However it isn't very specific about exactly _what_ it doesn't like.
I've turned on plutodebug and klipsdebug and looked in /var/log/secure, but all that gives me is a very detailed account of what Freeswan said to Juniper.
The setup:
==========
FreeswanBox
10.10.10.20
I
I
10.10.10.1
NATFirewall
123.123.123.123 (dynamically assigned through PPOE)
I
I
internet
I
I
234.234.234.234
Juniper
I
I
192.168.34.45/32
TargetMachineFreeswan config:
================
conn fixbox_sungard_test
authby=secret # secret set in ipsec.secrets
type=tunnel
left=10.10.10.20
leftnexthop=10.10.10.1
right=234.234.234.234
rightnexthop=%defaultroute
rightsubnet=192.168.34.45/32
keyexchange=ike
ikelifetime=24h
pfs=yes
# not sure if these following 5 are necessary
keyingtries=5
keylife=5m
rekeymargin=4m
rekeyfuzz=25%
auto=addJuniper config:
==============
security {
ipsec {
proposal esp-sha1-3des-7200 {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 7200;
}
policy g2-esp-sha1-3des-7200 {
perfect-forward-secrecy {
keys group2;
}
proposals esp-sha1-3des-7200;
}
security-association vpn600 {
mode tunnel;
dynamic {
ipsec-policy g2-esp-sha1-3des-7200;
}
}
}
ike {
proposal pre-g2-sha1-3des-86400 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm 3des-cbc;
lifetime-seconds 86400;
}
policy 123.123.123.123 {
mode main;
proposals pre-g2-sha1-3des-86400;
pre-shared-key ascii-text "blahblahblah";
}If anyone who has been through this and got it working, or anyone who understands JUNOS has any ideas of what to try next, I'd appreciate it.
Jim
