# OpenSwan and Watchguard SOHO stuck at Phase 2

## SkidSoft

I've got OpenSwan correctly installed for Roadwarriors, but I'm having a problem establishing a network to network connection with a Watchguard SOHO 6 with it hanging when it attempts to establish Phase 2. I've tried alot of things. 

Here's the link that I used to guide me through setting up this kind of a connection...

http://wiki.openswan.org/index.php/interoperatingWatchguard

Now here's the output after running my command to get it to establish....

Obviously the IPs are X'd out to protect myself.  :Wink: 

```
gentoo_server root # ipsec auto --up --verbose firebox

002 "firebox" #1: initiating Main Mode

104 "firebox" #1: STATE_MAIN_I1: initiate

003 "firebox" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]

002 "firebox" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)

002 "firebox" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

106 "firebox" #1: STATE_MAIN_I2: sent MI2, expecting MR2

002 "firebox" #1: I did not send a certificate because I do not have one.

003 "firebox" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed

002 "firebox" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

108 "firebox" #1: STATE_MAIN_I3: sent MI3, expecting MR3

002 "firebox" #1: Peer ID is ID_IPV4_ADDR: '66.103.XXX.XXX'

002 "firebox" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

002 "firebox" #1: ISAKMP SA established

004 "firebox" #1: STATE_MAIN_I4: ISAKMP SA established

002 "firebox" #2: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}

112 "firebox" #2: STATE_QUICK_I1: initiate

010 "firebox" #2: STATE_QUICK_I1: retransmission; will wait 20s for response

010 "firebox" #2: STATE_QUICK_I1: retransmission; will wait 40s for response

031 "firebox" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

000 "firebox" #2: starting keying attempt 2 of at most 3, but releasing whack

gentoo_server root #

```

Here's my configuration of which the firebox section is what is relevant...

```
gentoo_server root # more /etc/ipsec/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/share/doc/openswan-2.3.1/ipsec.conf-sample

#

# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration

config setup

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        # klipsdebug=none

        # plutodebug="control parsing"

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=all

        overridemtu=1410

        forwardcontrol=yes

        nat_traversal=yes

        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12;%v4:192.168.0.0/16

conn %default

        keyingtries=3

        compress=yes

        disablearrivalcheck=no

        authby=secret

        type=tunnel

        keyexchange=ike

        ikelifetime=240m

        keylife=60m

conn roadwarrior-net

        leftsubnet=10.0.1.100/24

        also=roadwarrior

conn roadwarrior-all

        leftsubnet=0.0.0.0/0

        also=roadwarrior

conn roadwarrior-l2tp

        leftprotoport=17/0

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior-l2tp-updatedwin

        leftprotoport=17/1701

        rightprotoport=17/1701

        also=roadwarrior

conn roadwarrior

        pfs=no

        left=4.17.XX.XXX

        leftnexthop=10.0.1.23

        right=%any

        rightsubnet=vhost:%no,%priv

        auto=add

conn firebox

        keyingtries=3

        authby=secret                   #(Tells FreeS/WAN to use pre-shared key to negotiate tunnel)

        left=66.103.XX.XX             #(The Firebox's External IP address)

        leftnexthop=10.2.1.1            #(The Firebox router's IP address)

        leftsubnet=10.2.1.0/24          #(The Firebox's Trusted network)

        right=4.17.XX.XXX              #(The Linux Server's Public IP address)

        rightnexthop=10.0.1.23          #(The Linux Server's router's IP

                                        # address)

        rightsubnet=10.1.1.0/24         #(The private network behind the Linux Server)

        auto=add

conn block

        auto=ignore

conn private

        auto=ignore

conn private-or-clear

        auto=ignore

conn clear-or-private

        auto=ignore

conn clear

        auto=ignore

conn packetdefault

        auto=ignore

#Disable Opportunistic Encryption

include /etc/ipsec/ipsec.d/examples/no_oe.conf

```

Can anyone give me any clues why this isn't working? 

Thanks![/code]

----------

