[Swan] direct connect ipsec tunnel

Paul Wouters paul at nohats.ca
Fri Jan 21 23:27:33 EET 2022

On Thu, 20 Jan 2022, Craig Slist wrote:

> Subject: [Swan] direct connect ipsec tunnel
> I am using RHEL8 and libreswan to make a tunnel directly to a cisco asa.
> using a basic config we are getting this error002 "mytunnel" #7: initiating Main Mode
> 104 "mytunnel" #7: STATE_MAIN_I1: initiate
> 003 "mytunnel" #7: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=12

This means your configurations don't match up. It is hard for us to help
you as we don't know what your cisco end wants you to use.

Some possible mismatching options are:

- IKEv1 vs IKEv2 (ikev2=yes|no)
- IKEv1 Aggressive Mode vs IKEv1 Main Mode (agressive=yes|no)
- IKE/phase1 crypto ciphers mismatch (ike= option in libreswan)
- Perfect Forward Secrecy setting (pfs=yes|no)
- If IKEv1 Aggressive Mode, a mismatched client ID could cause this


More information about the Swan mailing list