Hello, I decided to try out the new IPsec "wizard" (what are they called in Gnome, anyway? I know it's not wizard) in the system-config-network tool. It's also the first time I've tried the new IPsec features in the kernel. The setup seemed fairly easy, however I wasn't able to actually connect to the Linksys VPN router (BEFVP41). Here are the settings I entered for IPsec on the client side: 1. Nickname: Office 2. Type of connection: Network to Network encryption 3. Type of encryption: Automatic via IKA (racoon) 4. Local network address: 192.168.1.101 Local subnet: 255.255.255.0 Local network gateway: 192.168.1.1 5. Remote IP address: xxx.xxx.xxx.xxx (the BEFVP41 WAN IP) Remote network address: 192.168.0.0 Remote subnet mask: 255.255.0.0 Remote network gateway: 192.168.0.1 6. Authentication key: blahblahblah And the following are the settings on the Linksys side: 1. Local Secure Group: (Subnet) 192.168.0.0 255.255.0.0 2. Remote Secure Group: (IP Addr.) xxx.xxx.xxx.xxx (the client WAN IP) 3. Encryption: 3DES 4. Authentication: SHA 5. Key Management: Auto (IKE) PFS (I've selected this option) Pre-shared: blahblahblah (matches client side) 6. Key Lifetime 3600 On the Advanced screen of the BEFVP41, I have the following: Phase 1 Operation mode: Main mode Proposal 1: Encryption: 3DES Authentication: SHA Group: 1024-bit Key Lifetime: 28800 Phase 2 Proposal: Encryption: 3DES (not user configurable) Authentication: SHA (not user configurable) PFS: ON (not user configurable) Group: 1024-bit Key Lifetime: 3600 I think that the Linksys side isn't configured properly, but it may be I haven't configured something right on the client side. Another possibility is that I need to add a parameter to one of the conf files in /etc/racoon that the wizard doesn't allow. In any case, I haven't been able to figure it out. The Linksys is reporting the following error: 00:00:36 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN 00:00:36 IKE[1] **Check your Encryption, Authentication method and PFS settings ! On the client side, I'm seeing this in /var/log/messages: Jan 6 10:47:08 krs racoon: INFO: unsupported PF_KEY message REGISTER Jan 6 10:47:18 krs racoon: INFO: respond new phase 1 negotiation: 192.168.0.21[500]<=>XXX.XXX.XXX.XXX[500] Jan 6 10:47:18 krs racoon: INFO: begin Aggressive mode. Jan 6 10:47:18 krs racoon: ERROR: rejected dh_group: DB (prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:768-bit MODP group Jan 6 10:47:18 krs racoon: ERROR: rejected enctype: DB (prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC Jan 6 10:47:18 krs racoon: ERROR: rejected hashtype: DB (prop#1:trns#1):Peer(prop#1:trns#2) = SHA:MD5 Jan 6 10:47:18 krs racoon: ERROR: rejected dh_group: DB (prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:768-bit MODP group Jan 6 10:47:18 krs racoon: ERROR: no suitable proposal found. Jan 6 10:47:18 krs racoon: ERROR: failed to get valid proposal. Jan 6 10:47:18 krs racoon: ERROR: failed to process packet. Jan 6 10:47:46 krs racoon: INFO: respond new phase 1 negotiation: 192.168.0.21[500]<=>XXX.XXX.XXX.XXX[500] Jan 6 10:47:46 krs racoon: INFO: begin Aggressive mode. I made a few changes to my config, and then the above stopped, and I started to get completely different errors. The Linksys error appears to be the most useful. Does anyone know what I'm missing here? Has anyone successfully connected to a Linksys VPN router using IPsec in the FC3 kernel? Thanks in advance for any tips/suggestions. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux Consultant Systems Aligned Inc. www.systemsaligned.com