[Openswan Users] OpenSwan / Netopia R5100

Sumit Khanna sk1 at tigertranz.net
Mon Dec 12 15:30:28 CET 2005 

I am currently trying to establish a connection between openSwan and a 
Netopia R5100 (firmware: 4.11.3)

The Netopia has two menus, one for Phase 1 profiles and one for Wan 
profiles (its name for Phase 2)

The Phase 1 has the following options with the following settings:

Mode: Main (choices are main and aggressive)
Authentication Method: Shared Secret (this is the only option on this 
Netopia)
Shared Secrete: **my password**
encryption algrothim: 3des (choices are des and 3des)
Hash algrothim: md5 (choices are md5/sha1)
Diffie-Helman: Group 2 (1024 bits)

Advanced IKE1 options:
Neogation: Normal (options initiate only/respond only)
SA Use policy: Newest SA immediately (options Old SA until expired)
Allow Dangling Phase 2 SA: Yes
Phase 1 SA lifetime in seconds: 3600
Phase 1 SA lifetime in kb: 0

Send Initial Contact Message: yes
Include Vendor ID payload: yes
Independent Phase-2 Re-keys: yes
Strict Port Policy: no

The Phase-2 profile looks like this:
Encapsulation Type: IPSec (options are PPP/HDLC/Frame Relay, etc)
Key Management: IKE (options IKE/Manual)
Encapsulation: ESP (options are ESP, AH ESP+AH)
ESP Encryption Transform: 3DES
ESP Authentication Transform: HMAC-MD5-96
SA Lifetime seconds: 28800
SA Lifetime kb: 0
Perfect Forward Secrecy: Yes
Dead Peer Detection: No

My ipsec.conf has the following:

version 2.0
config setup
        klipsdebug=all
        plutodebug=all
#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf
conn ipsec-vpn1
   left= x.x.x.x
   leftsubnet=192.168.42.0/24
   leftnexthop=%defaultroute
   right=y.y.y.y
   rightsubnet=192.168.12.0/24
   rightnexthop=%defaultroute
   keyexchange=ike
   auto=start
   authby=secret
   pfs=yes
   keylife=28800s
   ikelifetime=28800s
   compress=yes
   esp=3des-md5-96

Where x.x.x.x is my public IP and y.y.y.y is the Netopia's public IP

My ipsec.secrets file just has one line:
66.18.43.62: PSK "**my password here**"

Obviously with the **?** replaced with my shared secrete.

however when I start the daemon and run " ipsec auto --status" I get the 
following:
000 interface eth0/eth0 192.168.42.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 x.x.x.x
000 interface tun0/tun0 10.1.1.10
000 %myid = (none)
000 debug 
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} 
trans={0,1,108} attrs={0,1,72}
000
000 "ipsec-vpn1": 
192.168.42.0/24===x.x.x.x---68.60.0.1...68.60.0.1---y.y.y.y===192.168.12.0/24; 
prospective erouted; eroute owner: #0
000 "ipsec-vpn1":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "ipsec-vpn1":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "ipsec-vpn1":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 
24,24; interface: eth1;
000 "ipsec-vpn1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "ipsec-vpn1":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "ipsec-vpn1":   ESP algorithms loaded: 3_000-1, flags=-strict
000
000 #1: "ipsec-vpn1":500 STATE_MAIN_I1 (sent MI1, expecting MR1); 
EVENT_RETRANSMIT in 33s; nodpd
000 #1: pending Phase 2 for "ipsec-vpn1" replacing #0
000

The netopia gives me the following:

 12/12/05 14:33:04   Last message repeated 17 times
 12/12/05 14:04:18   IKE: phase 1 resend timeout sg y.y.y.y
 12/12/05 14:03:01   IPsec: VPN removed:


My firewall is down during this initial test. Is there something missing 
from my configuration file? What is keeping the connection from 
establishing?

Any help is appericated
Sumit

More information about the Users mailing list