[Openswan Users] config problem

Szentmarjay Tibor tiborlista at naplopok.hu
Tue Aug 23 15:35:20 CEST 2005


Hello,

I am quite a beginner in VPN. I had to setup a connection with these 
parameters:

Peer : xx.yyy.zz.vvv
Phase 1 parameters:
         encryption algorithm:   Three key triple DES
         hash algorithm:         Secure Hash Standard (SHA)
         authentication method:  Pre-Shared Key
         Diffie-Hellman group:   5 (1536 bit)
         lifetime:               18000 seconds, no volume limit
         Preshared key.

Phase 2 parameters:
         Security association lifetime: 4608000 kilobytes/3600 seconds
         PFS: Y
         Diffie-Hellman group:  5
         Transform set:  esp-3des esp-sha-hmac

Now I use this config file with Openswan 2.3.1, please correct me, if 
there is something wrong, because the connection won't set up:
# /etc/ipsec.conf
version 2.0
config setup
         klipsdebug=all
         plutodebug=all

conn %default
         rightrsasigkey=%cert
         leftrsasigkey=%cert

conn block
         auto=ignore

conn clear
         auto=ignore

conn private
         auto=ignore

conn private-or-clear
         auto=ignore

conn clear-or-private
         auto=ignore

conn packetdefault
         auto=ignore

conn othernet
     left=my.ip.add.ress
     leftsubnet=my.ip.add.0/24
     leftnexthop=%defaultroute
     right=xx.yyy.zz.vvv
     rightsubnet=xx.yyy.zz.0/24
     rightnexthop=%defaultroute
     keyingtries=0
     pfs=yes
     auth=esp                    # vagy ah
     auto=start
     ike=3des-md5-modp1024
     esp=3des-md5
---------------------------------------
They sent me a secret key too. I put it into ipsec.secrets:
: RSA /etc/ipsec.d/private/teofilKey.pem

my.ip.add.ress xx.yyy.zz.vvv : PSK "zdmsEvs5zyasdasQ6ReiroibJK0tt45n"
----------------------------------------
now after start the log tells:
Aug 23 14:31:10 teofil ipsec_setup: KLIPS debug `all'
Aug 23 14:31:10 teofil ipsec_setup: KLIPS ipsec0 on eth0 
my.ip.add.ress/255.255.255.0 broadcast my.ip.add.255
Aug 23 14:31:10 teofil ipsec_setup: ...Openswan IPsec started
Aug 23 14:31:10 teofil ipsec_setup: Starting Openswan IPsec 2.3.2x...
Aug 23 14:31:11 teofil ipsec__plutorun: 104 "othernet" #1: 
STATE_MAIN_I1: initiate
Aug 23 14:31:11 teofil ipsec__plutorun: ...could not start conn "othernet"
----------------------------------------
# ipsec auto --status
000 interface ipsec0/eth0 my.ip.add.ress
000 %myid = (none)
000 debug 
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, 
keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} 
trans={0,0,0} attrs={0,0,0}
000
000 "vodafone": 
my.ip.add.0/24===my.ip.add.112---my.ip.add.254...my.ip.add.254---xx.yyy.zz.vvv===xx.yyy.zz.0/24; 
prospective erouted; eroute owner: #0
000 "vodafone":     srcip=unset; dstip=unset
000 "vodafone":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "vodafone":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; 
interface: eth0;
000 "vodafone":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vodafone":   IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "vodafone":   IKE algorithms found:  5_192-1_128-2,
000 "vodafone":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "vodafone":   ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #1: "othernet":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 28s; nodpd
000 #1: pending Phase 2 for "othernet" replacing #0
000

What is the problem and the solution? Or where is some RTFM for me?

Many many many thanks in advance
Tibor


-=o=-
Szentmarjay Tibor - http://tibu.naplopok.hu - mailto:tibor at naplopok.hu
ICQ UIN: 9774467 - Tel: (20) 9226659 - Skype:Szentmarjay.Tibor 




More information about the Users mailing list