<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
HI Peter,<br>
<br>
The other end changed the DH group to 2 from 1 and it worked!!!<br>
<br>
<pre class="moz-signature" cols="72">Thanks and Best regards
Atul Chaudhari
Systems and Database Adminstrator
</pre>
<br>
<br>
Atul Chaudhari wrote:
<blockquote cite="mid46F8B4EC.70800@pmmpay.com" type="cite">
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
HI Peter,<br>
<br>
Yes both the sides are behind the natting router.<br>
<br>
<pre class="moz-signature" cols="72">Thanks and Best regards
Atul Chaudhari
Systems and Database Adminstrator
</pre>
<br>
<br>
Peter McGill wrote:
<blockquote cite="mid003701c7feb3$b204d250$350315ac@ghport3"
type="cite">
<pre wrap="">First off, Diffie-Hellman Group (DH-Group) Group 1 (768-bit) is insecure.
Openswan will not allow it by default, and it shouldn't.
Change your Cisco to Group 2 (1024-bit) or Group 5 (1536-bit) instead.
Your Cisco is using 3DES with MD5.
So with the new DH-Group settings your ipsec.conf should have:
        ike=3des-md5-modp1024,3des-md5-modp1536
        esp=3des-md5
The retry error your experiencing is also often caused by NAT or Firewall.
Your left and right IP addresses are inside your leftsubnet and rightsubnet's respectively.
Are both sides behind NATing routers? I'm not sure if that will work.
IPSec works best if your IPSec routers both have public internet IP addresses.
These addresses go in left and right, not the private lan IP addresses.
If either IPSec router does not have a public internet IP address, then you will need NAT-Traversal (NAT-T).
Peter McGill
</pre>
<blockquote type="cite">
<pre wrap="">-----Original Message-----
From: <a class="moz-txt-link-abbreviated"
href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a>
[<a class="moz-txt-link-freetext"
href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>] On Behalf Of Atul Chaudhari
Sent: September 24, 2007 5:32 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:users@openswan.org">users@openswan.org</a>
Subject: [Openswan Users] OPENSWAN -- Cisco VPN concentrator
Hello,
I am configuring an VPN LAN-LAn connection between a Linux
Opensawn and
Cisco VPN concentrator 3000 series.
I get this message in ipsec whack --status
[root@dexter ~]# ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null),
keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,17,36}
trans={0,17,336} attrs={0,17,224}
000
000 "netnet":
192.168.2.0/24===192.168.1.2---192.168.1.1---192.168.20.1[192.
</pre>
</blockquote>
<pre wrap=""><!---->168.22.22]===10.10.10.0/24;
</pre>
<blockquote type="cite">
<pre wrap="">unrouted; eroute owner: #0
000 "netnet": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "netnet": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "netnet": policy: PSK+ENCRYPT+TUNNEL; prio: 24,24;
interface: eth0;
000 "netnet": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "netnet": IKE algorithms wanted: 5_000-1-5, 5_000-2-5,
5_000-1-2,
5_000-2-2, flags=-strict
000 "netnet": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5,
5_192-1_128-2, 5_192-2_160-2,
000 "netnet": ESP algorithms wanted: 3_168-1, 3_168-2, flags=-strict
000 "netnet": ESP algorithms loaded: 3_168-1, 3_168-2, flags=-strict
000
000
My ipsec.conf file is
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file: /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf
specification
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a
combation from
below:
# "raw crypt parsing emitting control klips pfkey natt x509
private"
# eg:
# plutodebug="control parsing"
#
# Only enable klipsdebug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16
#nat_traversal=yes
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
uniqueids=yes
plutowait=no
conn netnet
type=tunnel
authby=secret
keyexchange=ike
ike=3des
dpdaction=clear
left=192.168.1.2 # Local vitals
leftsubnet=192.168.1.0/24 #
right=192.168.20.1 # Remote vitals
rightid=192.168.22.22
rightnexthop=%defaultroute
rightsubnet=192.168.20.0/24
esp=3DES-168
pfs=no
auto=add # authorizes but doesn't
start this
# connection at startup
include /etc/ipsec.d/examples/no_oe.conf
On giving command ipsec auto --verbose --up netnet i get
these messages
002 "netnet" #17: initiating Main Mode
104 "netnet" #17: STATE_MAIN_I1: initiate
002 "netnet" #17: transition from state STATE_MAIN_I1 to
state STATE_MAIN_I2
106 "netnet" #17: STATE_MAIN_I2: sent MI2, expecting MR2
003 "netnet" #17: received Vendor ID payload [Cisco-Unity]
003 "netnet" #17: received Vendor ID payload [XAUTH]
003 "netnet" #17: ignoring unknown Vendor ID payload
[fe6bf25053e7fbd74022c8d5039641fc]
003 "netnet" #17: ignoring Vendor ID payload [Cisco VPN 3000 Series]
002 "netnet" #17: I did not send a certificate because I do
not have one.
002 "netnet" #17: transition from state STATE_MAIN_I2 to
state STATE_MAIN_I3
108 "netnet" #17: STATE_MAIN_I3: sent MI3, expecting MR3
003 "netnet" #17: received Vendor ID payload [Dead Peer Detection]
002 "netnet" #17: Main mode peer ID is ID_IPV4_ADDR: '192.168.22.22'
002 "netnet" #17: transition from state STATE_MAIN_I3 to
state STATE_MAIN_I4
004 "netnet" #17: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
002 "netnet" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#17}
117 "netnet" #18: STATE_QUICK_I1: initiate
010 "netnet" #18: STATE_QUICK_I1: retransmission; will wait
20s for response
010 "netnet" #18: STATE_QUICK_I1: retransmission; will wait
40s for response
031 "netnet" #18: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick
Mode message:
perhaps peer likes no proposal
000 "netnet" #18: starting keying attempt 2 of an unlimited
number, but
releasing whack
It then comes back to shell prompt and no connection is established.
Is this due to IKE algorithms not found?
The router is not at my end but these are the detail i got from the
admin at other end.
|VPN Schema | |IKE
|
|------------------------+----------------------+-------------
------------|
|Authentication Mode | |Preshared Keys
| | |
|------------------------+----------------------+-------------
------------|
|Authentication Algorithm| |MD5/HMAC-128
|
|------------------------+----------------------+-------------
------------|
|Encryption Algorithm | |3DES-168
|
|------------------------+----------------------+-------------
------------|
|Diffie-Hellman Group | |Group 1
(768-bits) |
|------------------------+----------------------+-------------
------------|
|IKE Time Lifetime | |86400
|
|------------------------+----------------------+-------------
------------|
|Authentication | |ESP/MD5/HMAC-128
.
Any suggestion apprciated.
Thanks,
Atul Chaudhari
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632">http://www.amazon.com/gp/product/1904811256/104-3099591-294632</a>
7?n=283155
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</body>
</html>