<font face="arial,helvetica,sans-serif">Hi</font><div><font face="arial,helvetica,sans-serif"><br></font></div><div><font face="arial,helvetica,sans-serif">Yes, the shared key line is formatted in the following way: </font>
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">1.2.3.4 </span><a href="http://5.6.7.8/" target="_blank" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">5.6.7.8</a><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px;background-color:rgb(255,255,255)">: PSK "sharedkey"</span> .</div>
<div><br></div><div>I changed auto=add to auto=start hoping it would help, but it didn't:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
ipsec auto --up conn<br>104 "conn" #1616: STATE_MAIN_I1: initiate<br>010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 20s for response<br>010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 40s for response<br>
031 "conn" #1616: max number of retransmissions (2) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message</blockquote><div><div><br></div><div>I'm not sure if that's correct: <span style="background-color:rgb(255,255,255);color:rgb(34,34,34);font-family:arial,sans-serif;font-size:13px">ike=aes256-sha1-modp1536, but if they say: </span><span style="background-color:rgb(255,255,255);color:rgb(80,0,80);font-family:arial,sans-serif;font-size:13px">Key Exchange Encryption: AES256 Data integrity: SHA1 and DH group 5, </span><span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:13px">do you think this line is not correct (</span><span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:13px">ike=aes256-sha1-modp1536)</span><span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:13px">? I cannot influence that, I have to adjust...</span></div>
<div><span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="background-color:rgb(255,255,255);font-family:arial,sans-serif;font-size:13px"><div>I am using: Linux Openswan U2.6.23/K2.6.32-31-server (netkey) Maybe the problem is that I am not using certificates but psk? How do I check if I can use klips (which I believe I should use instead of netkey).</div>
<div><br></div></span></div><div><br></div><div>Kind regards,</div><div>Jakub</div><br>
<br><br><div class="gmail_quote">2012/8/29 Roel van Meer <span dir="ltr"><<a href="mailto:roel.vanmeer@bokxing.nl" target="_blank">roel.vanmeer@bokxing.nl</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">Jakub Sobczak writes:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I have never setup a live openSwan VPN tunnel, so please be understanding =)<br>
I received the following config details to establish connection to the other<br>
company's gateway:<br>
<br>
Key Exchange Encryption: AES256 Data integrity: SHA1<br>
IKE SA renegotiation: 8 hrs Aggresive mode: No<br>
Use DH group: 1536 (group 5)<br>
Authentication: PSK<br>
<br>
IKE phase 2<br>
Data Encryption: AES256 Data integrity: SHA1<br>
IPSec SA renegotiation: 1 hr Aggresive mode: No<br>
Perfect forward secrecy: Yes<br>
Use DH group (Perfect forward secrecy) : 1536 (group 5)<br>
<br>
<br>
This is my config from ipsec.conf (below). Apart from that, I also have<br>
ipsec.secret with the following content: left_IP(mine)<br>
right_IP(othercompany) "PSK"<br>
</blockquote>
<br></div>
Just to be sure, the format of this needs to be:<br>
1.2.3.4 <a href="http://5.6.7.8" target="_blank">5.6.7.8</a>: PSK "sharedkey"<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
config setup<br>
nat_traversal=yes<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12" target="_blank">10.0.0.0/<u></u>8,%v4:192.168.0.0/16,%v4:172.<u></u>16.0.0/12</a><br>
oe=off<br>
protostack=klips<br>
conn abc<br>
#General<br>
keyingtries=1<br>
auto=add<br>
</blockquote>
<br></div>
If you specify "auto=add" the other end will have to initiate the connection. Can you post the logs that show what happens during this time?<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
#IKE Params<br>
authby=secret<br>
keyexchange=ike<br>
</blockquote>
<br>
This parameter does not occur in my manpage. Which version of openswan are you using?<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
ikelifetime=8h<br>
ike=aes256-sha1-modp1536<br>
#IPSec Params<br>
type=tunnel<br>
auth=esp<br>
pfs=yes<br>
compress=no<br>
keylife=60m<br>
esp=aes256-sha1<br>
#pfsgroup=modp1536<br>
# Left security gateway, subnet behind it, nexthop toward right.<br>
left=my_IP<br>
leftsubnet=<a href="http://192.168.5.1/32" target="_blank">192.168.5.1/32</a> <br>
right=other_comp_IP<br>
rightsubnet=some_subnet<br>
</blockquote>
<br></div>
As far as I can see, this is all correct.<br>
A general remark: in my experience it is often easier to begin with less specific configuration, for example:<br>
ike=aes<br>
instead of<br>
ike=aes256-sha1-modp1536<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The second phase does not seem to be established. What is wrong? I believe<br>
something with pfsgroup? How to properly set DH group?<br>
</blockquote>
<br></div>
Best regards,<br>
<br>
Roel<br>
</blockquote></div><br></div>