<font face="arial,helvetica,sans-serif">Each time I changed something I did:</font><div><font face="arial, helvetica, sans-serif"><br></font><div><font face="arial, helvetica, sans-serif"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
ipsec auto --delete conn<br>ipsec auto --add conn<br>ipsec auto --up conn</blockquote><div><br></div><div>But it seems that it has failed to work. After this command:</div><div><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif"><br>
</span></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="color:rgb(34,34,34);font-size:13px;font-family:arial,sans-serif">ipsec auto --rereadsecrets</span></blockquote>
</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">I think it has negotiated the first phase, but there seems to be a problem with the second phase.</font></div>
<div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
11:01:19.533205 IP remote-ip > my-ip.500: isakmp: phase 1 I ident<br>11:01:19.533365 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident<br>11:01:20.127518 IP remote-ip > my-ip.500: isakmp: phase 1 I ident<br>11:01:20.128536 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident<br>
11:01:20.210036 IP remote-ip > my-ip.500: isakmp: phase 1 I ident[E]<br>11:01:20.210213 IP my-ip.500 > remote-ip: isakmp: phase 1 R ident[E]<br>11:01:20.303975 IP remote-ip > my-ip.500: isakmp: phase 2/others I oakley-quick[E]<br>
11:01:20.304176 IP my-ip.500 > remote-ip: isakmp: phase 2/others R inf[E]</blockquote></div><div><br></div><div>Thanks for the info about UDP port, I was expecting it to rather look like this: <a href="http://1.2.3.4:500" target="_blank">1.2.3.4:500</a> and not separated wit the dot (.).</div>
<div><br></div></font><div><div>Regards,</div><div>Jakub </div><br>
<br><br><div class="gmail_quote">2012/8/29 Roel van Meer <span dir="ltr"><<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@bokxing.nl</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Jakub Sobczak writes:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
tcpdump shows:<br>
<br>
10:37:<a href="tel:17.007960" value="+4817007960" target="_blank">17.007960</a> IP remote-ip.500 > my-ip.500 : isakmp: phase 1 I ident<br>
10:37:<a href="tel:17.008104" value="+4817008104" target="_blank">17.008104</a> IP my-ip.500 > remote-ip.500 : isakmp: phase 1 R inf<br>
<br>
I do not know where this .500 comes from, it looks like this: <a href="tel:1.2.3.4.500" value="+481234500" target="_blank">1.2.3.4.500</a>, but anyway it seems fine. What worries me however is:<br>
</blockquote>
<br></div>
.500 is the udp port that is used for setting up the connection.<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
104 "conn" #1806: STATE_MAIN_I1: initiate<br>
003 "conn" #1806: received Vendor ID payload [Dead Peer Detection]<br>
003 "conn" #1806: ignoring unknown Vendor ID payload [<u></u>699369228741c6d4ca094c93e242c9<u></u>de19e7b7c60000000500000500]<br>
003 "conn" #1806: Can't authenticate: no preshared key found for `my-ip' and `remote-ip'. Attribute OAKLEY_AUTHENTICATION_METHOD<br>
</blockquote>
<br></div>
Ok, you do receive traffic from the remote, so the firewall is not the problem. It can't find a secret for your configured connection, however.<br>
Openswan does not pick up changes in your secrets file automatically.<br>
Have you restarted openswan since you put the secret in ipsec.secrets? You can also run<br>
ipsec auto --rereadsecrets<br>
to make sure Openswan picks up any changes there.<br>
<br>
Regards,<br>
<br>
Roel<div><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
003 "conn" #1806: no acceptable Oakley Transform<br>
214 "conn" #1806: STATE_MAIN_I1: NO_PROPOSAL_CHOSEN<br>
<br>
Again, my ipsec.secrets looks like this (copy-paste): <br>
my-ip remote-ip : PSK "some-presharedkey"<br>
<br>
What is going on? Maybe I have to install something?<br>
</blockquote>
<br>
<br>
<br>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Regards,<br>
Jakub <br>
<br>
<br>
<br><div>
2012/8/29 Roel van Meer <<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><br>
<br>
Jakub Sobczak writes:<br></div>
Yes, the shared key line is formatted in the following way: 1.2.3.4 <URL:<URL:<a href="http://5.6.7.8/" target="_blank">http://5.6.<u></u>7.8/</a>><a href="http://5.6.7.8/" target="_blank">http://5.6.7.8/</a>><URL:<a href="http://5.6.7.8" target="_blank">http<u></u>://5.6.7.8</a>> <a href="http://5.6.7.8" target="_blank">5.6.7.8</a>: PSK "sharedkey" . I changed auto=add to auto=start hoping it would help, but it didn't:<div>
<br>
ipsec auto --up conn<br>
104 "conn" #1616: STATE_MAIN_I1: initiate<br>
010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 20s for response<br>
010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 40s for response<br>
031 "conn" #1616: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message<br>
The other side is not responding. Your firewall might not be set up correctly. Can you see anything in the logs that indicate the other side is trying to make a connection? If not, you could try to see if there is traffic coming in from the other side.<br>
With a command like<br>
tcpdump -nli eth0 host 1.2.3.4<br>
(assuming eth0 is the network device of your internet connection, and replacing 1.2.3.4 by the ip address of the remote endpoint) you can see what is happening on the wire.<br>
Can you try to start the connection while running the tcpdump command and post its output?<br>
I'm not sure if that's correct: ike=aes256-sha1-<u></u>modp1536, but if they say: Key Exchange Encryption: AES256 Data integrity: SHA1 and DH group 5, do you think this line is not correct (ike=aes256-sha1-modp1536)? I cannot influence that, I have to adjust... I am using: Linux Openswan U2.6.23/K2.6.32-31-server (netkey) Maybe the problem is that I am not using certificates but psk?<br>
The config details say the you need to use a shared key, so I assume the problem is not related to certificates.<br>
How do I check if I can use klips (which I believe I should use instead of netkey). You are already using klips, since you have this in your config:<br>
protostack=klips<br>
Regards,<br>
Roel<br>
Kind regards,<br>
Jakub<br></div>
2012/8/29 Roel van Meer <<URL:mailto:<URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.<u></u>vanmeer@bokxing.nl</a>>roel.<u></u>vanmeer@bokxing. nl><URL:mailto:<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@<u></u>bokxing.nl</a>><div>
<br>
Jakub Sobczak writes:<br>
I have never setup a live openSwan VPN tunnel, so please be understanding =)<br>
I received the following config details to establish connection to the other<br>
company's gateway:<br>
Key Exchange Encryption: AES256 Data integrity: SHA1<br>
IKE SA renegotiation: 8 hrs Aggresive mode: No<br>
Use DH group: 1536 (group 5)<br>
Authentication: PSK<br>
IKE phase 2<br>
Data Encryption: AES256 Data integrity: SHA1<br>
IPSec SA renegotiation: 1 hr Aggresive mode: No<br>
Perfect forward secrecy: Yes<br>
Use DH group (Perfect forward secrecy) : 1536 (group 5)<br>
This is my config from ipsec.conf (below). Apart from that, I also have<br>
ipsec.secret with the following content: left_IP(mine)<br>
right_IP(othercompany) "PSK"<br>
Just to be sure, the format of this needs to be:<br></div>
1.2.3.4 <URL:<URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank">http:<u></u>//5.6.7.8</a>><URL:<a href="http://5.6.7.8" target="_blank">http://5.6.7.8</a>><a href="http://5.6.7.8" target="_blank"><u></u>5.6.7.8</a>: PSK "sharedkey"<br>
config setup<br>
nat_traversal=yes<br>
virtual_private=%v4:<URL:<<u></u>URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v" target="_blank">http://10.0.0.0/8,%v4:192.<u></u>168.0.0/16,%v</a> 4:172><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172" target="_blank">http://10.0.0.0/8,%v4:<u></u>192.168.0.0/16,%v4:172</a>. 16.0.0/12><URL:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">http://10.0.0.<u></u>0/8,%v4:192.168.0.0/16,%v4:<u></u>172.16.0.0/12</a> ><a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/<u></u>16,%v4:172.16.0.0/12</a><div>
<br>
oe=off<br>
protostack=klips<br>
conn abc<br>
#General<br>
keyingtries=1<br>
auto=add<br>
If you specify "auto=add" the other end will have to initiate the connection. Can you post the logs that show what happens during this time?<br>
#IKE Params<br>
authby=secret<br>
keyexchange=ike<br>
This parameter does not occur in my manpage. Which version of openswan are you using?<br>
ikelifetime=8h<br>
ike=aes256-sha1-modp1536<br>
#IPSec Params<br>
type=tunnel<br>
auth=esp<br>
pfs=yes<br>
compress=no<br>
keylife=60m<br>
esp=aes256-sha1<br>
#pfsgroup=modp1536<br>
# Left security gateway, subnet behind it, nexthop toward right.<br>
left=my_IP<br></div>
leftsubnet=<URL:<URL:<a href="http://192.168.5.1/32" target="_blank">http://<u></u>192.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">http://192.168.<u></u>5.1/32</a>><URL: <a href="http://192.168.5.1/32" target="_blank">http://192.168.5.1/32</a>><a href="http://192.168.5.1/32" target="_blank">192.168.<u></u>5.1/32</a> right=other_comp_IP<div>
<br>
rightsubnet=some_subnet<br>
As far as I can see, this is all correct.<br>
A general remark: in my experience it is often easier to begin with less specific configuration, for example:<br>
ike=aes<br>
instead of<br>
ike=aes256-sha1-modp1536<br>
The second phase does not seem to be established. What is wrong? I believe<br>
something with pfsgroup? How to properly set DH group?<br>
Best regards,<br>
Roel<br>
<br>
</div></blockquote>
</blockquote></div><br></div></div></div>