Hopefully this doesn't cause a new thread. If so, I apologize for spamming the group. I found something that I'm not liking at the moment with a simple ipsec whack --status. My questions are simply:<div><br></div>
<div>1) Are these algorithms compatible/consistent?</div><div>2) If not, what does my ike and phase2alg variables have to be set at?</div><div><br></div><div><div>000 "ec2check": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict</div>
<div>000 "ec2check": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-5, 3DES_CBC(5)_192-MD5(1)_128-2,</div><div>000 "ec2check": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict</div><div>
000 "ec2check": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128</div></div><div><br></div><div><div>conn ec2check</div><div> connaddrfamily=ipv4</div><div> type=tunnel</div><div> authby=secret</div>
<div> ike=3des-md5</div><div> Ikelifetime=86400s</div><div> phase2=esp</div><div> phase2alg=3des-md5</div><div> lifetime=28800s</div><div> forceencaps=yes</div></div><div><br></div>
<div>-James</div><div><br><br><div class="gmail_quote">On Thu, Sep 8, 2011 at 3:18 PM, James Nelson <span dir="ltr"><<a href="mailto:james.nelson.ii@gmail.com">james.nelson.ii@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
It seems as though things are getting close, but I'm stumped by this apparent disconnect between the .conf and .secrets files.<div><br></div><div>First, the error messages when I try to start up the connection:</div><div>
<br></div><div><div>Sep 8 19:51:18 pluto[3535]: "ec2check" #1: Can't authenticate: no preshared key found for `<EC2 ELASTIC IP>' and `<CLIENT GATEWAY>'. Attribute OAKLEY_AUTHENTICATION_METHOD</div>
<div>Sep 8 19:51:18 pluto[3535]: "ec2check" #1: no acceptable Oakley Transform</div><div>Sep 8 19:51:18 pluto[3535]: "ec2check" #1: sending notification NO_PROPOSAL_CHOSEN to <CLIENT GATEWAY>:500</div>
<div><br></div><div>The necessary lines in the .conf:</div><div><br></div><div><div> left=<EC2 LOCAL IP></div><div class="im"><div> leftid=<EC2 ELASTIC IP></div><div> leftnexthop=%defaultroute</div>
<div> leftsubnet=<a href="http://10.5.5.5/32" target="_blank">10.5.5.5/32</a></div>
<div> leftsourceip=10.5.5.5</div><div> right=<CLIENT GATEWAY></div></div><div> rightsubnet=<CLIENT ED>/24</div></div><div><br></div><div>And the line in the .secrets:</div><div><div><EC2 ELASTIC IP> <CLIENT GATEWAY>: PSK "HeyLookImStillAKey"</div>
</div><div><br></div><div>Anything wrong with these setups?</div><div><br></div><font color="#888888"><div>-James</div></font><div><div></div><div class="h5"><div><br></div><br><div class="gmail_quote">On Thu, Sep 8, 2011 at 2:38 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Thu, 8 Sep 2011, James Nelson wrote:<br>
<br>
</div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I appreciate the assistance- removing the modp or commenting out the phase2alg variable did nothing, but deleting the piece after<br>
"3des-md5" in the ike variable caused it to work. Is this going to cause trouble later down the road? <br>
</blockquote>
<br></div>
No it probably won't.<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Starting up the connection causes a hang, mainly from a "no preshared key found" error between the two ips that are located in<br>
the .secrets file. The error follows up with a "no acceptable Oakley Transform" and "no_proposal_chosen". Is it not reading the<br>
.secrets file correctly?<br>
</blockquote>
<br></div>
If you use leftid/rightid, those are the identifiers you need in ipsec.secrets. If you<br>
use IP addresses only, then those need to go in as identifiers. If you change ipsec.secrets<br>
then issue "ipsec secrets" or restart openswan.<br>
<br>
btw. I'm changing th reply-to: to go back to the list, as public discussions is how I distinguish<br>
between free and paid support.<br>
<br>
Cheers,<br><font color="#888888">
<br>
Paul</font><div><div></div><div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Cheers,<br>
-James<br>
<br>
On Thu, Sep 8, 2011 at 1:54 PM, Paul Wouters <<a href="mailto:paul@xelerance.com" target="_blank">paul@xelerance.com</a>> wrote:<br>
On Thu, 8 Sep 2011, James Nelson wrote:<br>
<br>
That would be a clever start :) I'm getting a no conn found when I enter the auto --up command, which I<br>
have to imagine means<br>
there is something wrong with the conn code. Am I writing the ike and phase two variables correctly?<br>
There is the following<br>
error in my log:<br>
Sep 7 20:18:06 ipsec__plutorun: 034 esp string error: Non alphanum or valid separator found in auth<br>
string, \<br>
just after "3des-md5" (old_state=ST_AA)<br>
<br>
<br>
try leaving out the modp specifier for the phase2/esp setting.<br>
<br>
You can test if the connection loads with "ipsec auto --add connname"<br>
<br>
Paul</blockquote></div></div></blockquote></div></div></div></div></blockquote></div>
</div>