FC3/IPsec and Linksys VPN router

Kanwar Ranbir Sandhu m3freak at rogers.com
Fri Jan 7 03:40:07 UTC 2005 

Hello,

I decided to try out the new IPsec "wizard" (what are they called in
Gnome, anyway? I know it's not wizard) in the system-config-network
tool.  It's also the first time I've tried the new IPsec features in the
kernel. 

The setup seemed fairly easy, however I wasn't able to actually connect
to the Linksys VPN router (BEFVP41).

Here are the settings I entered for IPsec on the client side:

1. Nickname: Office
2. Type of connection: Network to Network encryption
3. Type of encryption: Automatic via IKA (racoon)
4. Local network address: 192.168.1.101
   Local subnet: 255.255.255.0
   Local network gateway: 192.168.1.1

5. Remote IP address: xxx.xxx.xxx.xxx  (the BEFVP41 WAN IP)
   Remote network address: 192.168.0.0
   Remote subnet mask: 255.255.0.0
   Remote network gateway: 192.168.0.1

6. Authentication key: blahblahblah

And the following are the settings on the Linksys side:

1. Local Secure Group: (Subnet) 192.168.0.0
				255.255.0.0

2. Remote Secure Group: (IP Addr.) xxx.xxx.xxx.xxx (the client WAN IP)

3. Encryption: 3DES
4. Authentication: SHA
5. Key Management: Auto (IKE)
                   PFS (I've selected this option)
                   Pre-shared: blahblahblah (matches client side)

6. Key Lifetime 3600

On the Advanced screen of the BEFVP41, I have the following:

Phase 1 
Operation mode: Main mode
Proposal 1: Encryption: 3DES
            Authentication: SHA
            Group: 1024-bit
            Key Lifetime: 28800

Phase 2
Proposal:   Encryption: 3DES       (not user configurable)
            Authentication: SHA    (not user configurable)
            PFS: ON                (not user configurable)
            Group: 1024-bit
            Key Lifetime: 3600

I think that the Linksys side isn't configured properly, but it may be I
haven't configured something right on the client side.  Another
possibility is that I need to add a parameter to one of the conf files
in /etc/racoon that the wizard doesn't allow.  In any case, I haven't
been able to figure it out.  

The Linksys is reporting the following error:

00:00:36 IKE[1] Rx << Notify : NO-PROPOSAL-CHOSEN 
00:00:36 IKE[1] **Check your Encryption, Authentication method and PFS
settings !

On the client side, I'm seeing this in /var/log/messages:

Jan  6 10:47:08 krs racoon: INFO: unsupported PF_KEY message REGISTER
Jan  6 10:47:18 krs racoon: INFO: respond new phase 1 negotiation:
192.168.0.21[500]<=>XXX.XXX.XXX.XXX[500]
Jan  6 10:47:18 krs racoon: INFO: begin Aggressive mode.
Jan  6 10:47:18 krs racoon: ERROR: rejected dh_group: DB
(prop#1:trns#1):Peer(prop#1:trns#1) = 1024-bit MODP group:768-bit MODP
group
Jan  6 10:47:18 krs racoon: ERROR: rejected enctype: DB
(prop#1:trns#1):Peer(prop#1:trns#2) = 3DES-CBC:DES-CBC
Jan  6 10:47:18 krs racoon: ERROR: rejected hashtype: DB
(prop#1:trns#1):Peer(prop#1:trns#2) = SHA:MD5
Jan  6 10:47:18 krs racoon: ERROR: rejected dh_group: DB
(prop#1:trns#1):Peer(prop#1:trns#2) = 1024-bit MODP group:768-bit MODP
group
Jan  6 10:47:18 krs racoon: ERROR: no suitable proposal found.
Jan  6 10:47:18 krs racoon: ERROR: failed to get valid proposal.
Jan  6 10:47:18 krs racoon: ERROR: failed to process packet.
Jan  6 10:47:46 krs racoon: INFO: respond new phase 1 negotiation:
192.168.0.21[500]<=>XXX.XXX.XXX.XXX[500]
Jan  6 10:47:46 krs racoon: INFO: begin Aggressive mode.
 
I made a few changes to my config, and then the above stopped, and I
started to get completely different errors.  

The Linksys error appears to be the most useful.  Does anyone know what
I'm missing here?  Has anyone successfully connected to a Linksys VPN
router using IPsec in the FC3 kernel?

Thanks in advance for any tips/suggestions.

Regards,

Ranbir
-- 
Kanwar Ranbir Sandhu
Linux Consultant
Systems Aligned Inc.
www.systemsaligned.com

More information about the fedora-list mailing list