[Openswan Users] config problem
Szentmarjay Tibor
tiborlista at naplopok.hu
Tue Aug 23 15:35:20 CEST 2005
Hello,
I am quite a beginner in VPN. I had to setup a connection with these
parameters:
Peer : xx.yyy.zz.vvv
Phase 1 parameters:
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard (SHA)
authentication method: Pre-Shared Key
Diffie-Hellman group: 5 (1536 bit)
lifetime: 18000 seconds, no volume limit
Preshared key.
Phase 2 parameters:
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS: Y
Diffie-Hellman group: 5
Transform set: esp-3des esp-sha-hmac
Now I use this config file with Openswan 2.3.1, please correct me, if
there is something wrong, because the connection won't set up:
# /etc/ipsec.conf
version 2.0
config setup
klipsdebug=all
plutodebug=all
conn %default
rightrsasigkey=%cert
leftrsasigkey=%cert
conn block
auto=ignore
conn clear
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn packetdefault
auto=ignore
conn othernet
left=my.ip.add.ress
leftsubnet=my.ip.add.0/24
leftnexthop=%defaultroute
right=xx.yyy.zz.vvv
rightsubnet=xx.yyy.zz.0/24
rightnexthop=%defaultroute
keyingtries=0
pfs=yes
auth=esp # vagy ah
auto=start
ike=3des-md5-modp1024
esp=3des-md5
---------------------------------------
They sent me a secret key too. I put it into ipsec.secrets:
: RSA /etc/ipsec.d/private/teofilKey.pem
my.ip.add.ress xx.yyy.zz.vvv : PSK "zdmsEvs5zyasdasQ6ReiroibJK0tt45n"
----------------------------------------
now after start the log tells:
Aug 23 14:31:10 teofil ipsec_setup: KLIPS debug `all'
Aug 23 14:31:10 teofil ipsec_setup: KLIPS ipsec0 on eth0
my.ip.add.ress/255.255.255.0 broadcast my.ip.add.255
Aug 23 14:31:10 teofil ipsec_setup: ...Openswan IPsec started
Aug 23 14:31:10 teofil ipsec_setup: Starting Openswan IPsec 2.3.2x...
Aug 23 14:31:11 teofil ipsec__plutorun: 104 "othernet" #1:
STATE_MAIN_I1: initiate
Aug 23 14:31:11 teofil ipsec__plutorun: ...could not start conn "othernet"
----------------------------------------
# ipsec auto --status
000 interface ipsec0/eth0 my.ip.add.ress
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
keysizemin=168, keysizemax=168
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "vodafone":
my.ip.add.0/24===my.ip.add.112---my.ip.add.254...my.ip.add.254---xx.yyy.zz.vvv===xx.yyy.zz.0/24;
prospective erouted; eroute owner: #0
000 "vodafone": srcip=unset; dstip=unset
000 "vodafone": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "vodafone": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "vodafone": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vodafone": IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "vodafone": IKE algorithms found: 5_192-1_128-2,
000 "vodafone": ESP algorithms wanted: 3_000-1, flags=-strict
000 "vodafone": ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #1: "othernet":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 28s; nodpd
000 #1: pending Phase 2 for "othernet" replacing #0
000
What is the problem and the solution? Or where is some RTFM for me?
Many many many thanks in advance
Tibor
-=o=-
Szentmarjay Tibor - http://tibu.naplopok.hu - mailto:tibor at naplopok.hu
ICQ UIN: 9774467 - Tel: (20) 9226659 - Skype:Szentmarjay.Tibor
More information about the Users
mailing list