<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6001.18294" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" leftMargin=0
topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV><FONT face=Arial size=2>Been up all night and discovered that V-IPSecure
uses Racoon as part of its embedded VPN solution. Now that I understand that it
makes things pretty clear.... </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I did some research Paul and discovered that you
commented about this very subject this time last year (July 08) to be exact.
What is the exact syntax for the use of AH in the ipsec.conf file? I looked at
the ipsec.conf man page which reads:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<DT><B>phase2</B>
<DT>Sets the type of SA that will be produced. Valid options are: <B>esp</B> for
encryption (the default), and <B>ah</B> for authentication only.
<DT><B>phase2alg</B>
<DT>Specifies the algorithms that will be offered/accepted for a phase2
negotiation. If not specified, a secure set of defaults will be used.
<P>The format for ESP is ENC-AUTH followed by an optional PFSgroup. For
instance, "3des-md5" or "aes256-sha1-modp2048". </P>
<P>The format for AH is AUTH followed by an optional PFSgroup. For instance,
"md5" or "sha1-modp1536". </P></DT></DIV>
<P><FONT face=Arial size=2>I am confused on which option to use for openswan.
Could you point me in the right direction?</FONT></P>
<P><FONT face=Arial size=2></FONT> </P>
<P><FONT face=Arial size=2>Thanks in advance.</FONT></P>
<P><FONT face=Arial size=2>JT</FONT></P>
<DIV style="FONT: 10pt Tahoma">
<DIV><FONT face=Arial></FONT><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=tstrike34@gmail.com
href="mailto:tstrike34@gmail.com">JT Edwards</A> </DIV>
<DIV><B>Sent:</B> Wednesday, September 02, 2009 2:09 AM</DIV>
<DIV><B>To:</B> <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV><B>Subject:</B> Openswan and V-IPSecure</DIV></DIV></DIV>
<DIV><BR></DIV>
<DIV>To all:<BR><BR>I have researched all the material that in the
archives.<BR><BR>I configured V-IPSecure for Ike VPN with certificates. After
following the instructions for generating certificates (to include a key) I
attempted to start connection to a Openswan VPN gateway. We reach the 2nd stage
of the Ike negotiations when I get these messages:<BR><BR>ep 1 17:58:13 wizbang8
pluto[31132]: "ait-to-home"[1] 22.45.6 #1: transition from state STATE_MAIN_R0
to state STATE_MAIN_R1<BR>Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1]
22.45. #1: STATE_MAIN_R1: sent MR1, expecting MI2<BR>Sep 1 17:58:13 wizbang8
pluto[31132]: "ait-to-home"[1] 22.45. #1: ignoring Vendor ID payload
[KAME/racoon]<BR>Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45.
#1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<BR>Sep 1 17:58:13
wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: STATE_MAIN_R2: sent MR2,
expecting MI3<BR>Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45.
#1: Main mode peer ID is ID_IPV4_ADDR: '22.45.'<BR>Sep 1 17:58:14 wizbang8
pluto[31132]: "ait-to-home"[1] 22.45. #1: no suitable connection for peer
'22.45.'<BR>Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1:
sending encrypted notification INVALID_ID_INFORMATION to 22.45. :500<BR><BR>On
the router here is what the VPN log reads (wished it was more
verbose)<BR><BR>2009 Sep 1 18:47:31 [SRXN3205] [IKE] Ignore information because
ISAKMP-SA has not been established yet._<BR>2009 Sep 1 18:47:40 [SRXN3205] [IKE]
The packet is retransmitted by 16.16.[500]._<BR>2009 Sep 1 18:47:40 [SRXN3205]
[IKE] Ignore information because ISAKMP-SA has not been established yet._<BR>-
Last output repeated twice -<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE] an undead
schedule has been deleted: 'isakmp_chkph1there'._<BR>2009 Sep 1 18:47:46
[SRXN3205] [IKE] IPSec configuration with identifer "ait_torden" deleted
sucessfully_<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE] no phase2 bounded._<BR>2009
Sep 1 18:47:46 [SRXN3205] [IKE] Purged ISAKMP-SA with
spi=f3a834564cf15bf4:a5645e2c7414e4fd._<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE]
an undead schedule has been deleted: 'purge_remote'._<BR>2009 Sep 1 18:47:46
[SRXN3205] [IKE] an undead schedule has been deleted:
'isakmp_ph1resend'._<BR>2009 Sep 1 18:47:46 [SRXN3205] [IKE] IKE configuration
with identifier "wizbang8" deleted sucessfully_<BR>2009 Sep 1 18:48:00
[SRXN3205] [IKE] The packet is retransmitted by 209.198.[500]._<BR><BR>I
followed the certs instructions to a T.... Where am I going wrong? Is there some
way I can see what is being transmitted to the Openswan server and what it is
sending back?</DIV>
<DIV>Here is what I am trying to do... I am trying to get my SRXN3207 to connect
to a Openswan VPN server using certificates.... The vender ID of the Ike
negotiations identify V-IPSecure as a vendor racoon.<BR><BR>I guess I could look
up racoon to openswan VPN gateway to gateway connections.<BR><BR>PSK is rather
insecure and at times doesnt work.<BR><FONT face=Arial
size=2></FONT><BR></DIV></BODY></HTML>