How to Fix "192-SHA1(2)_160 pfsgroup=no-pfs"

This is a error related to openswan configuration. Once you have up and running ipsec, while trying to connect to sonicwall vpn you might get this error.

Error:

002 "sonicwall" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:a0d6gf93 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
117 "sonicwall" #2: STATE_QUICK_I1: initiate
010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for response


 
Solution:

Check your ipsec.conf file and lookout for this parameter
# vi /etc/ipsec.conf
pfs=yes
Make sure the pfs=yes
and restart your ipsec services
# service ipsec restart
# ipsec auto --replace sonicwall
# ipsec whack --name sonicwall --initiate
It should show something like this if connected successfully

004 "sonicwall" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x85c33bdf <0xa66ae231 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

Check your vpn connection if you are able to ping the VPN local LAN network.


For complete configuration steps of openswan in RedHat5 with screenshots follow this page
openswan configuration in RedHat5