[Openswan Users]

[Paul Wouters]

On Wed, 12 Jan 2005, Pabby wrote:

> VPN scheme:	IKE
> Phase 1 authentication:		Shared secret - this will be
> communicated over thephone at time of connection
>>> Phase 1 algorithm:		Diffie-Hellman Group 2
>>> Phase 1 mode:		Main
>>> Phase 1 lifetime:		One day (1440minutes, or 86400
> seconds)
>>> Phase 2 perfect forward secrecy:		No
> Phase 2 encapsulation:		ESP
>>> Phase 2 lifetime:		Eight hours (480 minutes, or
> 28800 seconds)
>>> Supports subnets:		Yes
>
>
> I've attached my ipsec.conf file please help as my job
> is about to be lost on this. this is extremly
> important to me.
>
> ipsec.conf
>
> config setup
>
>        interfaces=%defaultroute
>

Do NOT create empty lines or wrongly idented lines in the configuration file!
I hope this was the mailer wrapping and not your config file.

> conn %default
>   # How persistent to be in (re)keying negotiations (0 means very).
>        keyingtries=0
>   # Load all connection descriptions by default
>   # Some will override this with auto=start
>             authby=shared secret

Use authby=secret, not shared secret.

> 	      keyexchange=ike
>

no empty line

>        auto=add

Do not put auto= in your default section.

> conn con1
>      # left security gateway
>        left=a.b.c.d
>      # next hop to reach right
>        leftnexthop=

don't put empty options in  a connection, comment them out instead.

>      # subnet behind left (omit if there is no
> subnet)
>        leftsubnet=<<client’s subnet>>
>      # right s.g., subnet behind it, and next hop to
> reach left
>        right=<<my Server address>>
>      # if using %defaultroute, skip rightnexthop
>        rightnexthop=<<my Router address>
>        rightsubnet=<<my subnet>>
>        auto=start

I am missing: pfs=no

Also, if it fails, cehck /var/log/messages and /var/log/secure (or daemon or
auth depending on your distro) and give us the exact error message.

Paul
-- 

"At best it is a theory, at worst a fantasy" -- Michael Crichton