<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.12.2">
</HEAD>
<BODY>
On Fri, 2006-11-24 at 08:10 -0500, Peter McGill wrote:
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">On Thu, Nov 23, 2006 Bas Driessen wrote:</FONT>
<FONT COLOR="#000000">> Thanks very much Peter. We may have something here. When I tried to setup the connection a couple of weeks for the first time, the </FONT>
<FONT COLOR="#000000">> VPN server was still set to</FONT>
<FONT COLOR="#000000">> the old DES algorithm. I had to recompile OpenSwan with a WEAK switch (or something like that) to get that to work. In the end I </FONT>
<FONT COLOR="#000000">> got it to go past Phase 1</FONT>
<FONT COLOR="#000000">> and yes you are right, my setting then was ike=des-md5-modp768. Since I did not get past phase 2, I got in contact with this </FONT>
<FONT COLOR="#000000">> mailing list and most of the</FONT>
<FONT COLOR="#000000">> responses were "don't use DES, but 3DES". After that am still getting nowhere and in fact don't get past Phase 1 now. I asked the </FONT>
<FONT COLOR="#000000">> system administrator to</FONT>
<FONT COLOR="#000000">> change to 3DES, which he kindly did. I doubt if he changed the group and that most likely is the cause.</FONT>
<FONT COLOR="#000000">></FONT>
<FONT COLOR="#000000">> Which group should I advise him to change to? Group 2 or 5?</FONT>
<FONT COLOR="#000000">Either is fine, both have sufficient size for 3DES, 5 may be considered stronger security because it has more bits, but either is </FONT>
<FONT COLOR="#000000">fine.</FONT>
</PRE>
</BLOCKQUOTE>
Hi Peter, The Group has been changed to DH 2 and I am able to get past phase 1 now. I am now stuck at phase 2. You suggested that this could be related to incorrect subnets or using a different encryption. Well, the system admin advised me of the subnetmask and that matches. The phase 2 encryption is 3des-md5 which also matches. pfs is set to 'no' at the server end and that also matches. The system admin told me that I should be configured to pull a DHCP ip number. Is this a configuration option in openswan, or is it just part of the 'normal' network settings? <BR>
<BR>
I am running out of ideas/options. Would appreciate if you can give me any additional pointers where things could go wrong or how to debug this.<BR>
<BR>
My current conf file:<BR>
<BR>
conn sonicwall<BR>
type=tunnel<BR>
auto=add<BR>
auth=esp<BR>
pfs=no<BR>
authby=secret<BR>
keyingtries=1<BR>
left=192.168.1.13<BR>
right=66.nnn.nnn.nnn<BR>
rightsubnet=192.168.128.0/24<BR>
#rightsubnet=0.0.0.0/0<BR>
rightid=66.nnn.nnn.nnn<BR>
esp=3des-md5<BR>
keyexchange=ike<BR>
ike=3des-md5-modp1024<BR>
<BR>
<BR>
Current output:<BR>
<BR>
[root@ams ipsec.d]# /usr/sbin/ipsec whack --name sonicwall --initiate<BR>
002 "sonicwall" #1: initiating Main Mode<BR>
104 "sonicwall" #1: STATE_MAIN_I1: initiate<BR>
003 "sonicwall" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]<BR>
002 "sonicwall" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03<BR>
002 "sonicwall" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>
106 "sonicwall" #1: STATE_MAIN_I2: sent MI2, expecting MR2<BR>
003 "sonicwall" #1: ignoring unknown Vendor ID payload [da8e937880010000]<BR>
003 "sonicwall" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]<BR>
003 "sonicwall" #1: received Vendor ID payload [XAUTH]<BR>
002 "sonicwall" #1: I did not send a certificate because I do not have one.<BR>
003 "sonicwall" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-00/01: i am NATed<BR>
002 "sonicwall" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<BR>
108 "sonicwall" #1: STATE_MAIN_I3: sent MI3, expecting MR3<BR>
002 "sonicwall" #1: Main mode peer ID is ID_IPV4_ADDR: '66.nnn.nnn.nnn'<BR>
002 "sonicwall" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>
004 "sonicwall" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}<BR>
002 "sonicwall" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}<BR>
117 "sonicwall" #2: STATE_QUICK_I1: initiate<BR>
010 "sonicwall" #2: STATE_QUICK_I1: retransmission; will wait 20s for response<BR>
<BR>
<BR>
</BODY>
</HTML>