<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Hi Paul, <br>
<br>
i am using the Openswan 2.6.24 in two gateways<br>
<br>
<big><big>Test scenario 1:</big></big><br>
<br>
The difference between two gateways is ike group. gateway1 is group1
and gateway2 is group 5, other configuration is all the same.<br>
<br>
Test procedure:<br>
1. Initiator from gateway1 group1 to gateway2 group 5, test result
please see attached file-name: ipsec-ike-diff-group-init-by-group1.log<br>
2. Initiator from gateway2 group5 to gateway1 group 1, test result
please see attached file-name: ipsec-ike-diff-group-init-by-group5.log<br>
<br>
Seems the negotiated configuration will fallow the initiator if the
configuration between two gateways is not the same.<br>
<big><br>
gateway 1 config</big><br>
=======<br>
ipsec.conf<br>
=======<br>
version 2.0<br>
<br>
config setup<br>
interfaces="ipsec0=lo ipsec1=eth2 ipsec3=eth10"<br>
protostack=klips<br>
klipsdebug=none<br>
plutodebug=none<br>
uniqueids=yes<br>
plutostderrlog="/dev/null"<br>
<br>
conn %default<br>
type=tunnel<br>
auth=esp<br>
authby=secret<br>
<br>
include /etc/ipsec.d/conf/ipsec.*.conf<br>
include /etc/ipsec.d/conf/site.*.conf<br>
<br>
<br>
=============<br>
site.gateway1.conf<br>
=============<br>
<br>
conn site_192.168.123.0_24-192.168.1.0_24<br>
left=10.29.3.225<br>
leftsubnet=192.168.123.0/24<br>
right=10.29.3.195<br>
rightsubnet=192.168.1.0/24<br>
ike=AES256-SHA1-MODP768<br>
esp=AES256-MD5-96<br>
dpddelay=10<br>
dpdtimeout=15<br>
keyingtries=%forever<br>
keylife=24h<br>
ikelifetime=8h<br>
rekey=no<br>
rekeymargin=9m<br>
pfs=yes<br>
auto=add<br>
<br>
<br>
<br>
<big>gateway 2 config</big><br>
=======<br>
ipsec.conf<br>
=======<br>
<br>
version 2.0<br>
<br>
config setup<br>
interfaces="ipsec0=lo ipsec1=eth2"<br>
protostack=klips<br>
klipsdebug=none<br>
plutodebug=all<br>
uniqueids=yes<br>
plutostderrlog="/tmp/ipsec.log"<br>
<br>
conn %default<br>
type=tunnel<br>
auth=esp<br>
authby=secret<br>
<br>
include /etc/ipsec.d/conf/ipsec.*.conf<br>
include /etc/ipsec.d/conf/site.*.conf<br>
<br>
=============<br>
site.gateway2.conf<br>
=============<br>
conn site_192.168.1.0_24-192.168.123.0_24<br>
left=10.29.3.195<br>
leftsubnet=192.168.1.0/24<br>
right=10.29.3.225<br>
rightsubnet=192.168.123.0/24<br>
ike=AES256-SHA1-MODP1536<br>
esp=AES256-MD5-96<br>
dpddelay=10<br>
dpdtimeout=15<br>
keyingtries=%forever<br>
keylife=24h<br>
ikelifetime=8h<br>
rekey=no<br>
rekeymargin=9m<br>
pfs=yes<br>
auto=add<br>
<br>
<br>
<big><big>Test scenario 2:</big></big><br>
<br>
The same esp but different ike configuration between two gateways.<br>
For example gateway1's ike=3des-md5, gateway2's ike=aes256-shal (ike
group is the same)<br>
<br>
Test procedure:<br>
1. Initiator from gateway1 ike=3des-md5, test result please see
attached file-name: ipsec-ike-diff-group-init-by-3des-md5.log<br>
2. Initiator from gateway2 ike=aes256-sha1, test result
please see attached file-name:
ipsec-ike-same-group-init-by-aes256-sha1.log<br>
<br>
Seems the negotiated configuration will fallow the initiator if the
configuration between two gateways is not the same.<br>
<big><br>
</big><br>
<br>
On 03/02/2010 03:39 PM, mix.kao wrote:
<blockquote cite="mid:4B8CC095.4070205@cipherium.com.tw" type="cite">
<pre wrap="">Ok, i will do some more test and report later
Thanks.
On 03/02/2010 12:39 AM, Paul Wouters wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, 1 Mar 2010, mix.kao wrote:
</pre>
<blockquote type="cite">
<pre wrap="">the ike option is difference between two gateways, but seems the
connection is still can build.
</pre>
</blockquote>
<pre wrap="">
Hmm, that's not supposed to happen. Though we might always allow a
bigger modp group.
Can you tell me the version of openswan on each end? And can you do a
test from the
modp768 end as initiator and a test with the modp1536 as initiator?
And if either of those
work, redo it with plutodebug=all and mail me the logs? (or start a
new bug on bugs.openswan.org
and attach the logs there?)
Thanks,
</pre>
<blockquote type="cite">
<pre wrap="">gateway1: ipsec whack --status
000 "site_192.168.123.0_24-192.168.1.0_24":
192.168.123.0/24===10.29.3.225<10.29.3.225>[+S=C]...10.2.3.156<10.2.3.156>[+S=C]===192.168.1.0/24;
erouted; eroute owner: #6
000 "site_192.168.123.0_24-192.168.1.0_24": myip=unset;
hisip=unset; myup=/ramfs/ipsec/bin/_updown;
hisup=/ramfs/ipsec/bin/_updown;
000 "site_192.168.123.0_24-192.168.1.0_24": ike_life: 28800s;
ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "site_192.168.123.0_24-192.168.1.0_24": policy:
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+IKEv2ALLOW+lKOD+rKOD; prio:
24,24; interface: eth2;
000 "site_192.168.123.0_24-192.168.1.0_24": dpd: action:clear;
delay:10; timeout:15;
000 "site_192.168.123.0_24-192.168.1.0_24": newest ISAKMP SA: #0;
newest IPsec SA: #6;
000 "site_192.168.123.0_24-192.168.1.0_24": IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)-MODP1536(5); flags=-strict
000 "site_192.168.123.0_24-192.168.1.0_24": IKE algorithms found:
AES_CBC(7)_128-SHA1(2)_160-5,
000 "site_192.168.123.0_24-192.168.1.0_24": ESP algorithms wanted:
AES(12)_256-SHA1(2); flags=-strict
000 "site_192.168.123.0_24-192.168.1.0_24": ESP algorithms loaded:
AES(12)_256-SHA1(2)_096
000 "site_192.168.123.0_24-192.168.1.0_24": ESP algorithm newest:
AES_256-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #38: "site_192.168.123.0_24-192.168.1.0_24":500 STATE_MAIN_I1
(sent MI1, expecting MR1); EVENT_RETRANSMIT in 23s; nodpd; idle;
import:admin initiate
000 #38: pending Phase 2 for "site_192.168.123.0_24-192.168.1.0_24"
replacing #0
000 #6: "site_192.168.123.0_24-192.168.1.0_24":500 STATE_QUICK_R2
(IPsec SA established); EVENT_SA_EXPIRE in 83134s; newest IPSEC;
eroute owner; isakmp#5; idle; import:not set
000 #6: "site_192.168.123.0_24-192.168.1.0_24" used 48s ago;
<a class="moz-txt-link-abbreviated" href="mailto:esp.e6c8d0cd@10.2.3.156">esp.e6c8d0cd@10.2.3.156</a> <a class="moz-txt-link-abbreviated" href="mailto:esp.b3b17a68@10.29.3.225">esp.b3b17a68@10.29.3.225</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.1003@10.2.3.156">tun.1003@10.2.3.156</a>
<a class="moz-txt-link-abbreviated" href="mailto:tun.1004@10.29.3.225">tun.1004@10.29.3.225</a> ref=7 refhim=5
000 #36: "site_192.168.123.0_24-192.168.1.0_24":500 STATE_MAIN_I1
(sent MI1, expecting MR1); EVENT_RETRANSMIT in 23s; nodpd; idle;
import:not set
000 #41: "site_192.168.123.0_24-192.168.1.0_24":500 STATE_MAIN_I1
(sent MI1, expecting MR1); EVENT_RETRANSMIT in 23s; nodpd; idle;
import:not set
000
gateway2: ipsec whack --status
000 "site_192.168.1.0_24-192.168.123.0_24":
192.168.1.0/24===10.2.3.156...10.29.3.225===192.168.123.0/24;
erouted; eroute owner: #7
000 "site_192.168.1.0_24-192.168.123.0_24": srcip=unset;
dstip=unset; srcup=/ramfs/bin/ipsec_updown.exe;
dstup=/ramfs/bin/ipsec_updown.exe;
000 "site_192.168.1.0_24-192.168.123.0_24": ike_life: 28800s;
ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "site_192.168.1.0_24-192.168.123.0_24": policy:
PSK+ENCRYPT+TUNNEL+PFS+DONTREKEY+UP+failureDROP; prio: 24,24;
interface: eth2;
000 "site_192.168.1.0_24-192.168.123.0_24": dpd: action:clear;
delay:10; timeout:15;
000 "site_192.168.1.0_24-192.168.123.0_24": newest ISAKMP SA: #0;
newest IPsec SA: #7;
000 "site_192.168.1.0_24-192.168.123.0_24": IKE algorithms wanted:
7_256-2-5, 7_256-2-2, 7_256-2-1, flags=strict
000 "site_192.168.1.0_24-192.168.123.0_24": IKE algorithms found:
7_256-2_160-5, 7_256-2_160-2, 7_256-2_160-1,
000 "site_192.168.1.0_24-192.168.123.0_24": ESP algorithms wanted:
12_256-2, ; pfsgroup=2; flags=strict
000 "site_192.168.1.0_24-192.168.123.0_24": ESP algorithms loaded:
12_256-2, ; pfsgroup=2; flags=strict
000 "site_192.168.1.0_24-192.168.123.0_24": ESP algorithm newest:
AES_256-HMAC_SHA1; pfsgroup=MODP1024
000
000 #7: "site_192.168.1.0_24-192.168.123.0_24":500 STATE_QUICK_I2
(sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 82340s;
newest IPSEC; eroute owner
000 #7: "site_192.168.1.0_24-192.168.123.0_24" used 27s ago;
<a class="moz-txt-link-abbreviated" href="mailto:esp.b3b17a68@10.29.3.225">esp.b3b17a68@10.29.3.225</a> <a class="moz-txt-link-abbreviated" href="mailto:esp.e6c8d0cd@10.2.3.156">esp.e6c8d0cd@10.2.3.156</a> <a class="moz-txt-link-abbreviated" href="mailto:tun.1004@10.29.3.225">tun.1004@10.29.3.225</a>
<a class="moz-txt-link-abbreviated" href="mailto:tun.1003@10.2.3.156">tun.1003@10.2.3.156</a>
On 03/01/2010 02:57 PM, Paul Wouters wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On Mon, 1 Mar 2010, mix.kao wrote:
</pre>
<blockquote type="cite">
<pre wrap="">i have a question about the openswan config.
I am trying to build a tunnel between two gateways.
gateway1's ike set to AES256-SHA1-MODP768
gateway2's ike set to AES128-SHA1-MODP1536
and finally the tunnel use ==> IKE algorithm newest:
AES_CBC_256-SHA1-MODP768
</pre>
</blockquote>
<pre wrap="">
I do not understand this.
If the two gateway's set an ike= option, ONLY that proposal is
allowed. If two
gateways set two different ike= options, they will never setup a
tunnel. If
the ike= options (and other options/auth) match, the tunnel will
work. If
you want to allow two proposals, you can allow them both. In your
example:
gateway2 would use: ike=AES256-SHA1-MODP768,AES128-SHA1-MODP1536
However note that modp768 does NOT WORK with opensan because it is
insecure. The minimum openswan will use is modp1024
Paul
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
_______________________________________________
<a class="moz-txt-link-abbreviated" href="mailto:Users@openswan.org">Users@openswan.org</a>
<a class="moz-txt-link-freetext" href="http://lists.openswan.org/mailman/listinfo/users">http://lists.openswan.org/mailman/listinfo/users</a>
Building and Integrating Virtual Private Networks with Openswan:
<a class="moz-txt-link-freetext" href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
<br>
</body>
</html>