[Openswan Users] AES-256 SHA1 Group2

Xian Zhang xianzhangmcse at optusnet.com.au
Sat Mar 12 12:03:11 CET 2005 

Hi all,

I am trying to set up a VPN connection between openswan and checkpoint. I use AES-256, SHA-1, and Diffie-Hellman Group2

I couldn't get phase 1 come up, any help would be greatly appreciated.

That is my network connection

172.xxx.xxx.0/24===149.xxx.xxx.204 ------------------203.xxx.xxx.205===10.xxx.xxx.0/24

here is my ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.13 2004/03/24 04:14:39 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"

# Add connections here

conn TestConnection
        left=149.xxx.xxx.204
        leftsubnet=172.xxx.xxx.0/24
        leftnexthop=149.xxx.xxx.205
        right=203.xxx.xxx.205
        rightsubnet=10.xxx.xxx.0/24
        rightnexthop=%defaultroute
        ike=aes256-sha!
        esp=aes256-sha1!
        authby=secret
        auto=start
        pfs=no

# sample VPN connection
#sample#        conn sample
#sample#                # Left security gateway, subnet behind it, next hop toward right.
#sample#                left=10.0.0.1
#sample#                leftsubnet=172.16.0.0/24
#sample#                leftnexthop=10.22.33.44
#sample#                # Right security gateway, subnet behind it, next hop toward left.
#sample#                right=10.12.12.1
#sample#                rightsubnet=192.168.0.0/24
#sample#                rightnexthop=10.101.102.103
#sample#                # To authorize this connection, but not actually start it, at startup,
#sample#                # uncomment this.
#sample#                #auto=start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

And that is what I got when I issue "ipsec whack --status"

000 interface ipsec0/eth1 203.xxx.xxx.205
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}
attrs={0,0,0}
000
000 "TestConnection": 10.xxx.xxx.0/24===203.xxx.xxx.205---203.xxx.xxx.204...149.xxx.xxx.205---149.xxx.xxx.204===172.xxx.xxx.0/24; prospective erouted; eroute owner: #0
000 "TestConnection":     srcip=unset; dstip=unset
000 "TestConnection":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "TestConnection":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 22,24; interface: eth1;
000 "TestConnection":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "TestConnection":   IKE algorithms wanted: 7_256-2-5, 7_256-2-2, flags=strict
000 "TestConnection":   IKE algorithms found:  7_256-2_160-5, 7_256-2_160-2,
000 "TestConnection":   ESP algorithms wanted: 12_256-2, flags=strict
000 "TestConnection":   ESP algorithms loaded: 12_256-2, flags=strict
000
000 #4: "TestConnection" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in34s; nodpd
000 #4: pending Phase 2 for "TestConnection" replacing #0
000


That is what I got in /var/log/message when I tried to start ipsec

Mar 12 10:17:30 vpngateway kernel: klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack version: 2.3.0
Mar 12 10:17:30 vpngateway kernel: klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
Mar 12 10:17:30 vpngateway kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
Mar 12 10:17:30 vpngateway kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0
Mar 12 10:17:30 vpngateway ipsec_setup: KLIPS debug `none'
Mar 12 10:17:30 vpngateway kernel:
Mar 12 10:17:30 vpngateway ipsec_setup: KLIPS ipsec0 on eth1 203.xxx.xxx.205/255.255.255.248 broadcast 203.xxx.xxx.xxx
Mar 12 10:17:31 vpngateway ipsec_setup: ...Openswan IPsec started
Mar 12 10:17:31 vpngateway ipsec_setup: Starting Openswan IPsec 2.3.0...
Mar 12 10:17:31 vpngateway ipsec_setup: Using /lib/modules/2.4.29/kernel/ipsec.o
Mar 12 10:17:31 vpngateway ipsec_setup: ipchains: Protocol not available
Mar 12 10:17:32 vpngateway ipsec__plutorun: 104 "TestConnection" #1: STATE_MAIN_I1: initiate
Mar 12 10:17:32 vpngateway ipsec__plutorun: ...could not start conn "TestConnection"


That is what I got in /var/log/secure when I tried to start ipsec

Mar 12 10:17:31 vpngateway ipsec__plutorun: Starting Pluto subsystem...
Mar 12 10:17:31 vpngateway pluto[17701]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Mar 12 10:17:31 vpngateway pluto[17701]: Setting port floating to off
Mar 12 10:17:31 vpngateway pluto[17701]: port floating activate 0/1
Mar 12 10:17:31 vpngateway pluto[17701]:   including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 12 10:17:31 vpngateway pluto[17701]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 12 10:17:31 vpngateway pluto[17701]: starting up 1 cryptographic helpers
Mar 12 10:17:31 vpngateway pluto[17701]: started helper pid=17707 (fd:6)
Mar 12 10:17:31 vpngateway pluto[17701]: Using KLIPS IPsec interface code
Mar 12 10:17:31 vpngateway pluto[17701]: Changing to directory '/etc/ipsec.d/cacerts'
Mar 12 10:17:31 vpngateway pluto[17701]: Could not change to directory '/etc/ipsec.d/aacerts'
Mar 12 10:17:31 vpngateway pluto[17701]: Changing to directory '/etc/ipsec.d/ocspcerts'
Mar 12 10:17:31 vpngateway pluto[17701]: Changing to directory '/etc/ipsec.d/crls'
Mar 12 10:17:31 vpngateway pluto[17701]:   Warning: empty directory
Mar 12 10:17:32 vpngateway pluto[17701]: added connection description "TestConnection"
Mar 12 10:17:32 vpngateway pluto[17701]: listening for IKE messages
Mar 12 10:17:32 vpngateway pluto[17701]: adding interface ipsec0/eth1 203.xxx.xxx.205
Mar 12 10:17:32 vpngateway pluto[17701]: loading secrets from "/etc/ipsec.secrets"
Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: initiating Main Mode
Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Mar 12 10:17:32 vpngateway pluto[17701]: "TestConnection" #1: received and ignored informational message
Mar 12 10:30:42 vpngateway pluto[17701]: "TestConnection" #1: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (
or no acceptable response) to our first IKE message


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050312/441775ed/attachment-0001.htm

More information about the Users mailing list