<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Just recieved an e-mail saying that they use 256 bit so I changed the
config to:<br>
<br>
ike=aes256-sha1-modp1024
<br>
esp=aes256-sha1<br>
<br>
Now it seems to pass step 1 and in it stays with:<br>
<br>
Feb 23 17:05:41 fw pluto[19900]: "VPN" #17: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP to replace #16 {using isakmp#3}<br>
Feb 23 17:06:51 fw pluto[19900]: "VPN" #17: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal<br>
Feb 23 17:06:51 fw pluto[19900]: "VPN" #17: starting keying attempt 12
of an unlimited number<br>
Feb 23 17:06:51 fw pluto[19900]: "VPN" #18: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP to replace #17 {using isakmp#3}<br>
<br>
What could be the problem here? Is there some more debug info I can
turn on?<br>
<br>
I realy hope that the book "<i>Building and Integrating Virtual Private
Networks with Openswan</i> " that I have ordered will arrive soon. I
will surely need it.<br>
<br>
BR<br>
<br>
Magnus<br>
<br>
<br>
<blockquote cite="mid:499ECD28.20902@goco.net" type="cite">
<blockquote type="cite">e:
<br>
<blockquote type="cite">Nothing in the information suggests that
256 bit AES is required.
<br>
Also esp doesn't allow you to enter a DH group, instead it uses the
same
<br>
group as phase 1 ike.
<br>
I suggest the following changes accordingly, otherwise your conn looks
good.
<br>
ike=aes-sha1-modp1024
<br>
esp=aes-sha1
<br>
<br>
Peter McGill
<br>
IT Systems Analyst
<br>
Gra Ham Energy Limited <br>
<blockquote type="cite">-----Original Message-----
<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:users-bounces@openswan.org">users-bounces@openswan.org</a> [<a class="moz-txt-link-freetext" href="mailto:users-bounces@openswan.org">mailto:users-bounces@openswan.org</a>] On
Behalf Of Magnus Holmberg
<br>
Sent: February 18, 2009 2:16 PM
<br>
To: <a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<br>
Subject: [Openswan Users] Config file Question.
<br>
<br>
I like to setup a vpn connection to another server and recieved the
information that it should be setup like:
<br>
<br>
Encryption method: IKE
<br>
Transforms: ESP
<br>
<br>
IKE Phase1:
<br>
Encryption algorithm: AES
<br>
Hash method: SHA1
<br>
Diffie-Hellman group: 2 (1024 bits)
<br>
IKE key lifetime: 28800sec
<br>
<br>
IKE Phase2:
<br>
Encryption algorithm: AES
<br>
Hash method: SHA1
<br>
Diffie-Hellman group: 2 (1024 bits)
<br>
IPsec key lifetime: 3600sec
<br>
Aggressive mode: disabled
<br>
<br>
<br>
Can someone help me with the config here.
<br>
IE i wounder what the esp= and ike should be set to.
<br>
<br>
<br>
Is this correct:
<br>
<br>
conn VPN
<br>
authby=secret
<br>
auto=start
<br>
rekey =yes
<br>
left=x.x.x.x
<br>
leftsubnet=x.x.x.x.192/28
<br>
auth = esp
<br>
keyexchange=ike
<br>
ikelifetime=28800s
<br>
keylife=3600s
<br>
right=y.y.y.y
<br>
rightsubnet=y.y.y/29
<br>
ike=aes256-sha1-modp1024
<br>
esp=aes256-sha1-modp1024
<br>
dpddelay=3
<br>
dpdtimeout=120
<br>
dpdaction=restart
<br>
aggrmode=no
<br>
<br>
_______________________________________________
<br>
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<br>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
<br>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-294632">http://www.amazon.com/gp/product/1904811256/104-3099591-294632</a>
<br>
7?n=283155
<br>
</blockquote>
<br>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>