Hello,
I decided to try out the new IPsec "wizard" (what are they called in
Gnome, anyway? I know it's not wizard) in the system-config-network
tool. It's also the first time I've tried the new IPsec features in the
kernel.
The setup seemed fairly easy, however I wasn't able to actually connect
to the Linksys VPN router (BEFVP41).
Here are the settings I entered for IPsec on the client side:
1. Nickname: Office
2. Type of connection: Network to Network encryption
3. Type of encryption: Automatic via IKA (racoon)
4. Local network address: 192.168.1.101
Local subnet: 255.255.255.0
Local network gateway: 192.168.1.1
5. Remote IP address: xxx.xxx.xxx.xxx (the BEFVP41 WAN IP)
Remote network address: 192.168.0.0
Remote subnet mask: 255.255.0.0
Remote network gateway: 192.168.0.1
6. Authentication key: blahblahblah
And the following are the settings on the Linksys side:
1. Local Secure Group: (Subnet) 192.168.0.0
255.255.0.0
2. Remote Secure Group: (IP Addr.) xxx.xxx.xxx.xxx (the client WAN IP)
3. Encryption: 3DES
4. Authentication: SHA
5. Key Management: Auto (IKE)
PFS (I've selected this option)
Pre-shared: blahblahblah (matches client side)
6. Key Lifetime 3600
On the Advanced screen of the BEFVP41, I have the following:
Phase 1
Operation mode: Main mode
Proposal 1: Encryption: 3DES
Authentication: SHA
Group: 1024-bit
Key Lifetime: 28800
Phase 2
Proposal: Encryption: 3DES (not user configurable)
Authentication: SHA (not user configurable)
PFS: ON (not user configurable)
Group: 1024-bit
Key Lifetime: 3600
I think that the Linksys side isn't configured properly, but it may be I
haven't configured something right on the client side. Another
possibility is that I need to add a parameter to one of the conf files
in /etc/racoon that the wizard doesn't allow. In any case, I haven't
been able to figure it out.
The Linksys is reporting the following error:
00:00:36 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN
00:00:36 IKE[1] **Check your Encryption, Authentication method and PFS
settings !
On the client side, I'm seeing this in /var/log/messages:
Jan 6 10:47:08 krs racoon: INFO: unsupported PF_KEY message REGISTER
Jan 6 10:47:18 krs racoon: INFO: respond new phase 1 negotiation:
192.168.0.21[500]<=>XXX.XXX.XXX.XXX[500]
Jan 6 10:47:18 krs racoon: INFO: begin Aggressive mode.
Jan 6 10:47:18 krs racoon: ERROR: rejected dh_group: DB
(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:768-bit MODP
group
Jan 6 10:47:18 krs racoon: ERROR: rejected enctype: DB
(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC
Jan 6 10:47:18 krs racoon: ERROR: rejected hashtype: DB
(prop#1:trns#1):Peer(prop#1:trns#2) = SHA:MD5
Jan 6 10:47:18 krs racoon: ERROR: rejected dh_group: DB
(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:768-bit MODP
group
Jan 6 10:47:18 krs racoon: ERROR: no suitable proposal found.
Jan 6 10:47:18 krs racoon: ERROR: failed to get valid proposal.
Jan 6 10:47:18 krs racoon: ERROR: failed to process packet.
Jan 6 10:47:46 krs racoon: INFO: respond new phase 1 negotiation:
192.168.0.21[500]<=>XXX.XXX.XXX.XXX[500]
Jan 6 10:47:46 krs racoon: INFO: begin Aggressive mode.
I made a few changes to my config, and then the above stopped, and I
started to get completely different errors.
The Linksys error appears to be the most useful. Does anyone know what
I'm missing here? Has anyone successfully connected to a Linksys VPN
router using IPsec in the FC3 kernel?
Thanks in advance for any tips/suggestions.
Regards,
Ranbir
--
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com
