Could it be that Perfect Forward Secrecy (PFS) has not been enabled on the Cisco box because it returns in Quick Mode with the Notification? Enable PFS and the connection will succeed.
Jul 3 19:51:01 localhost pluto[17524]: | Notify Message Type: NO_PROPOSAL_CHOSEN Jul 3 19:51:01 localhost pluto[17524]: | removing 4 bytes of padding
DNS lookups are a probably initiated by Opportunistic Encryption (OE). If it's bothering you then you can disable OE:
Disabling Opportunistic Encryption
To disable OE (eg. policy groups and packetdefault), cut and paste the following lines to /etc/ipsec.conf:
conn block
auto=ignoreconn private
auto=ignoreconn private-or-clear
auto=ignoreconn clear-or-private
auto=ignoreconn clear
auto=ignoreconn packetdefault
auto=ignoreRegards
Andreas
Per Kristian Gjermshus wrote:
Since my original posting of this message was in the middle of the reorganization, I am reposting it now.
I am having some trouble getting a connection with preshared key working. The remote end is a cisco-box and the people running the remote system expects me to be using cisco too. My configuration instructions are therefore ciso only. I am using freeswan as included in Trustix 2.0, which is a standard 2.00 with X.509 version 1.3.2.
My first problem was that the remote end expected a isakmp sa lifetime of 24 hours. Apparently this value is changeable in IOS. The problem resolved itself by changing OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM to 86400 in programs/pluto/constants.h.
Still, I could not get a working connection. It looks like the remote end wants to give us the IP 10.192.3.23. Freeswan then tries a reverse lookup on that address. That does not work at all, and the connection seems to fail. Is my analysis of this anywhere near correct? Should freeswan try to do a reverse of this when opportunistic is not in use?
The pluto log and my ipsec.conf can be found at: http://www.newmad.no/~pergj/pluto.log http://www.newmad.no/~pergj/ipsec.conf
Per Kristian
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
-- ======================================================================= Andreas Steffen e-mail: [EMAIL PROTECTED] strongSec GmbH home: http://www.strongsec.com Alter Z�richweg 20 phone: +41 1 730 80 64 CH-8952 Schlieren (Switzerland) fax: +41 1 730 80 65 ==========================================[strong internet security]===
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
