Hi all<br><br> I am making a vpn tunnel Net to Roadworrier. I have problem when I enable ike=des-md5-modp3072 in both ipsec.conf. <br><br>Here is my ipsec.conf file<br>version 2.0<br><br>config setup<br> interfaces=%defaultroute<br> nat_traversal=yes<br><br>conn %default<br> keyingtries=1<br><br>conn netone<br> left=10.10.136.190<br> leftsubnet=192.0.0.0/8<br> leftrsasigkey=%cert<br> leftcert=host.example.com.pem<br> right=10.10.136.191<br> rightsubnet=11.0.0.0/8<br> rightrsasigkey=%cert<br> rightcert=clienthost.example.com.pem<br> authby=rsasig<br> also=policy3<br> auto=start<br><br>conn policy3<br> keyexchange=ike<br> aggrmode=no<br> ike=des-md5-modp3072<br> ikelifetime=1h<br> esp=aes128-md5<br> pfs=no<br>
compress=no<br> keylife=1h<br> failureshunt=passthrough<br><br><br>#Disable Opportunistic Encryption<br>include /etc/ipsec.d/examples/no_oe.conf<br><br>This is my output of command: ipsec auto --status<br>interface lo/lo ::1<br>000 interface lo/lo 127.0.0.1<br>000 interface lo/lo 127.0.0.1<br>000 interface eth0/eth0 10.10.136.191<br>000 interface eth0/eth0 10.10.136.191<br>000 interface eth1/eth1 11.11.11.11<br>000 interface eth1/eth1 11.11.11.11<br>000 %myid = (none)<br>000 debug none<br>000<br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<br>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP
encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<br>000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<br>000<br>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>000<br>000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,336} attrs={0,1,224}<br>000<br>000 "netone": 11.0.0.0/8===10.10.136.191[C=US, ST=State, L=City, O=ExampleCo, CN=clienthost.example.com, E=clientuser@example.com]...10.10.136.190[C=US, ST=State, L=City, O=ExampleCo, CN=host.example.com, E=user@example.com]===192.0.0.0/8; prospective erouted; eroute owner: #0<br>000 "netone": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;<br>000 "netone": CAs: 'C=US, ST=State, L=City,
O=ExampleCo, CN=CA, E=ca@example.com'...'C=US, ST=State, L=City, O=ExampleCo, CN=CA, E=ca@example.com'<br>000 "netone": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1<br>000 "netone": policy: RSASIG+ENCRYPT+TUNNEL+UP+failurePASS; prio: 8,8; interface: eth0; encap: esp;<br>000 "netone": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>000 "netone": IKE algorithms wanted: DES_CBC(1)_000-MD5(1)-MODP3072(15); flags=strict<br>000 "netone": IKE algorithms found: DES_CBC(1)_000-MD5(1)-MODP3072(15); flags=strict<br>000 "netone": ESP algorithms wanted: AES(12)_128-MD5(1); flags=strict<br>000 "netone": ESP algorithms loaded: AES(12)_128-MD5(1); flags=strict<br>000<br>000 #1: "netone":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 6s; nodpd<br>000 #1: pending Phase 2 for "netone" replacing #0<br><br><br>Here is my log from
/var/log/auth.log<br><br>Jun 23 03:48:51 localhost ipsec__plutorun: Starting Pluto subsystem...<br>Jun 23 03:48:52 localhost pluto[26197]: Starting Pluto (Openswan Version 2.4.8 PLUTO_SENDS_VENDORID PLUTO_USES<br>_KEYRR; Vendor ID OEtQ@pxNq\177W`)<br>Jun 23 03:48:52 localhost pluto[26197]: Setting NAT-Traversal port-4500 floating to on<br>Jun 23 03:48:52 localhost pluto[26197]: port floating activation criteria nat_t=1/port_fload=1<br>Jun 23 03:48:52 localhost pluto[26197]: including NAT-Traversal patch (Version 0.6c)<br>Jun 23 03:48:52 localhost pluto[26197]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)<br>Jun 23 03:48:52 localhost pluto[26197]: starting up 1 cryptographic helpers<br>Jun 23 03:48:52 localhost pluto[26197]: started helper pid=26200 (fd:6)<br>Jun 23 03:48:52 localhost pluto[26197]: Using NETKEY IPsec interface code on 2.6.18.1<br>Jun 23 03:48:52 localhost pluto[26197]: Changing to directory
'/etc/ipsec.d/cacerts'<br>Jun 23 03:48:52 localhost pluto[26197]: loaded CA cert file 'cacert.pem' (1155 bytes)<br>Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/aacerts'<br>Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/ocspcerts'<br>Jun 23 03:48:52 localhost pluto[26197]: Changing to directory '/etc/ipsec.d/crls'<br>Jun 23 03:48:52 localhost pluto[26197]: loaded crl file 'crl.pem' (467 bytes)<br>Jun 23 03:48:55 localhost pluto[26197]: loaded host cert file '/etc/ipsec.d/certs/host.example.com.pem' (348<br>9 bytes)<br>Jun 23 03:48:55 localhost pluto[26197]: loaded host cert file '/etc/ipsec.d/certs/clienthost.example.com.pem<br>' (3518 bytes)<br>Jun 23 03:48:55 localhost pluto[26197]: added connection description "netone"<br>Jun 23 03:48:56 localhost pluto[26197]: listening for IKE messages<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface eth1/eth1
11.11.11.11:500<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface eth1/eth1 11.11.11.11:4500<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface eth0/eth0 10.10.136.191:500<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface eth0/eth0 10.10.136.191:4500<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface lo/lo 127.0.0.1:500<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface lo/lo 127.0.0.1:4500<br>Jun 23 03:48:56 localhost pluto[26197]: adding interface lo/lo ::1:500<br>Jun 23 03:48:56 localhost pluto[26197]: loading secrets from "/etc/ipsec.secrets"<br>Jun 23 03:48:56 localhost pluto[26197]: loaded private key file '/etc/ipsec.d/private/clienthost.example.com.key' (1659 bytes)<br>Jun 23 03:48:57 localhost pluto[26197]: "netone" #1: initiating Main Mode<br>Jun 23 03:48:57 localhost pluto[26197]: | ike_alg_db_new() ike enc ealg=1 not present<br>Jun 23 03:48:57 localhost pluto[26197]: packet from 10.10.136.190:500:
ignoring informational payload, type NO_PROPOSAL_CHOSEN<br>Jun 23 03:48:57 localhost pluto[26197]: packet from 10.10.136.190:500: received and ignored informational message<br>Jun 23 03:49:07 localhost pluto[26197]: packet from 10.10.136.190:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN<br>Jun 23 03:49:07 localhost pluto[26197]: packet from 10.10.136.190:500: received and ignored informational message<br>Jun 23 03:49:27 localhost pluto[26197]: packet from 10.10.136.190:500: ignoring informational payload, type NO_PROPOSAL_CHOSEN<br>Jun 23 03:49:27 localhost pluto[26197]: packet from 10.10.136.190:500: received and ignored informational message<br><br><br>If I disable ike=des-md5-modp3072 in both ipsec.conf file then it establish the tunnel. So can any one help me to solve this problem. This problem is same when I establish tunnel with psk and rsa keys. <br><br>If I use other algorithm blowfish in place of des in ike then it also gives the same
error.<br><br>Any one help out.<br><p>
<hr size=1>Need a vacation? <a href="http://us.rd.yahoo.com/evt=48256/*http://travel.yahoo.com/;_ylc=X3oDMTFhN2hucjlpBF9TAzk3NDA3NTg5BHBvcwM1BHNlYwNncm91cHMEc2xrA2VtYWlsLW5jbQ--">Get great deals
to amazing places </a>on Yahoo! Travel. <p> 
<hr size=1>Sick sense of humor? Visit Yahoo! TV's
<a href="http://us.rd.yahoo.com/evt=47093/*http://tv.yahoo.com/collections/222">Comedy with an Edge </a>to see what's on, when.