Paul,<br><br>I correct the command <b>leftxauthuser to </b><b>leftxauthusername and it works.</b><br><br>This is the currently log, can you tell me why the connection isn't work ?<br><br>I type the up command, but it not response: <br>
<br>000 using kernel interface: mast<br>000 interface mast0/vmnet1 192.168.201.1<br>000 interface mast0/vmnet1 192.168.201.1<br>000 interface mast0/vmnet8 192.168.38.1<br>000 interface mast0/vmnet8 192.168.38.1<br>000 interface mast0/ppp0 XXX.XXX.XXX.XXX<br>
000 interface mast0/ppp0 XXX.XXX.XXX.XXX<br>000 %myid = (none)<br>000 debug none<br>000 <br>000 virtual_private (%priv):<br>000 - allowed 3 subnets: <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a>, <a href="http://172.16.0.0/12">172.16.0.0/12</a><br>
000 - disallowed 0 subnets: <br>000 WARNING: Disallowed subnets in virtual_private= is empty. If you have <br>000 private address space in internal use, it should be excluded!<br>000 <br>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192<br>
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128, keysizemax=128<br>000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64, keysizemin=96, keysizemax=448<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<br>000 <br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br>
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>
000 <br>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} <br>000 <br>000 "company": XXX.XXX.XXX.XXX<XXX.XXX.XXX.XXX>[+XC+S=C]...AAA.AAA.AAA.AAA<AAA.AAA.AAA.AAA>[+XS+S=C]; unrouted; eroute owner: #0<br>
000 "company": myip=unset; hisip=unset;<br>000 "company": xauth info: myxauthuser=myuser; <br>000 "company": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<br>
000 "company": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: ppp0; <br>000 "company": newest ISAKMP SA: #0; newest IPsec SA: #0; <br>000 <br>000 #2: "company":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 22s; nodpd; idle; import:admin initiate<br>
000 #2: pending Phase 2 for "company" replacing #0<br>000 <br><br><br>********Obs.: XXX.XXX.XXX.XXX = myIP and AAA.AAA.AAA.AAA is my CompanyVPN IP i replace the myuser too.<br><br>What's Wrong ?<br><br>
<div class="gmail_quote">2011/7/28 <a href="mailto:victorjabur@gmail.com">victorjabur@gmail.com</a> <span dir="ltr"><<a href="mailto:victorjabur@gmail.com">victorjabur@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hi Paul,<br><br>Very thanks for your help:<br><br>I made all changes that you suggest, now is happenning another error:<br><br><b>>>sudo ipsec setup --start<br>openswan failed to exec the requested action - the following error occured:<br>
can not load config '/etc/ipsec.conf': /etc/ipsec.conf:66: syntax error, unexpected STRING [leftxauthuser]</b><br><br>This is my new ipsec.conf:<br><br><br><br>config setup<br> interfaces="%defaultroute"<br>
protostack=. <br><div class="im"> klipsdebug=none<br> plutodebug=none<br> manualstart=<br> plutoload=<br><br></div>conn company<br> authby=secret<br> pfs=yes<br> keyexchange=ike<br> left=myIP<br>
leftxauthclient=yes <br>
<b> leftxauthuser= </b><br> right=MyCompanyIP<br> auto=start<br><br>------------------------------------------------------------------------------<br><br>This is my new ipsec.secrets:<br><br>@myuser : XAUTH "mypass"<br>
<br><br>Obs.:*** I delete this previous line: @groupcompany 999.999.999.999 : PSK "ab927263cc4654645f334"<br>And not, this is not my real secret, it's updated.<br><br><b>My Question: The above secret line should exists or remove it ?</b><br>
<br>Thanks;<br>Victor Jabur.<div><div></div><div class="h5"><br><br><div class="gmail_quote">2011/7/28 Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>On Thu, 28 Jul 2011, <a href="mailto:victorjabur@gmail.com" target="_blank">victorjabur@gmail.com</a> wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm trying to configure the openswan on my Linux Ubuntu 11.04 x64 machine to access the VPN Windows Checkpoint.<br>
<br>
I already installed openswan and the question is how correct configuration to make it.<br>
<br>
1) This is my /etc/ipsec.conf<br>
<br>
config setup<br>
interfaces="ipsec0=ppp0"<br>
klipsdebug=none<br>
plutodebug=none<br>
manualstart=<br>
plutoload=<br>
</blockquote>
<br></div>
Specify interfaces="%defaultroute" and protostack=. The ipsec0 interface is only available<br>
with protostack=klips not with protostack=netkey (the default kernel only supports netkey)<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn company<br>
type=tunnel<br>
left=%defaultroute<br>
leftid=@groupcompany <br>
leftxauthclient=yes<br>
right=999.999.999.999<br>
rightxauthserver=yes<br>
keyexchange=ike<br>
auth=esp<br>
pfs=no<br>
<br>
<br>
conn company_1<br>
left=%defaultroute<br>
leftid=@groupcompany<br>
leftxauthclient=yes<br>
right=999.999.999.999 # IP of VPN Server<br>
rightxauthserver=yes<br>
authby=secret<br>
auto=add<br>
<br>
</blockquote>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
2) This is my /etc/ipsec.secrets<br>
<br>
@groupcompany 999.999.999.999 : PSK "ab927263cc4654645f334"<br>
</blockquote>
<br></div>
If that is your production secret, please change it as you just posted it to everyone!!<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The only information that i have to connect on the VPN Server is:<br>
IP: 999.999.999.999<br>
Username: myuser<br>
Password: MyPass<br>
</blockquote>
<br></div>
Try using leftxauthuser= and add the passwd in ipsec.secrets:<br>
<br>
@myuser : XAUTH "MyPass"<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
There is any way to detect the problem ? Would you help me to make the correct configurations ?<br>
</blockquote>
<br></div>
Check /var/log/secure or /var/log/auth*<br><font color="#888888">
<br>
Paul<br>
</font></blockquote></div><br><br></div></div></blockquote></div>