[Openswan Users] OpenSwan 2.3.1 - Problems with "IKE="

Cassio Bobsin Machado cassiobm at gmail.com
Thu Jul 14 18:07:52 CEST 2005 

Hi there.

I've got a RH9 with openswan-2.3.1 configured.

I'm configuring a new VPN connection with a Cisco PIX. In fact, I
already have a VPN running with another Cisco PIX, using 3des-sha1. It
works fine for a few months, so I think that this problem is only with
the IPSEC.CONF.

I've got firewall rules adjusted for port 500 and protocolos 50/51 for
the IPs of this new VPN I'm working on.

The problem is, this new connection requires usage of AES256, SHA1 and
MODP1024 but, when I try to insert ANYTHING with ike= in this new
connection, it simply doens't parse correctly. Another problem is, I
can't get any log that shows what the problem is.

I've search tons of documentation, each suggesting a possible IKE= for
this configuration.

My IPSEC.CONF for this new connection is...

conn tim
        auto=start
        type=tunnel
        #LEFT:Human
        left=200.192.***.***
        leftnexthop=%defaultroute
        leftsubnet=200.192.***.***/32
        #RIGHT:Tim
        right=200.179.***.***
        rightsubnet=200.179.***.***/24
        authby=secret
        keyexchange=ike
        pfs=no
        auth=esp
        esp=aes256-sha1-modp1024
        compress=no

When I try any of the following lines, I get nothing on IPSEC AUTO
-STATUS for this connection...
ike=aes
ike=aes128
ike=aes128-sha
ike=aes128-sha-modp1024
ike=aes128-sha1
ike=aes256
ike=aes256-sha
ike=aes256-sha1
ike=aes256-sha-modp1024
ike=aes256-sha1-modp1024
ike=aes128-sha-modp1024
ike=3des
ike=3des-sha
ike=3des-sha1
ike=3des-md5

When I remove this line containing "ike=*anything*", I get this on
IPSEC AUTO -STATUS...
000 "tim": 200.192.***.***/32===200.192.***.***---200.192.***.***...200.179.***.***===200.179.***.***/32;
prospective erouted; eroute owner: #0
000 "tim":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "tim":   policy: PSK+ENCRYPT+PFS+UP; prio: 32,32; interface: eth0;
000 "tim":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 #1: "tim" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 8s
000 #1: pending Phase 2 for "tim" replacing #0


At the Cisco PIX, log shows...

Reject Reason:             IKE failure
Source:                        ip_200.192.***.*** (200.192.***.***)
Destination:                  rjosun801 (10.112.***.***)
Encryption Scheme:      IKE
VPN Peer Gateway:      ip_200.192.***.*** (200.192.***.***)
IKE Initiator Cookie:       9ced1ab8389b0627
Information:                   IKE: Main Mode Failed to match
proposal: 3DES, MD5, Pre-shared secret, Group 5 (1536 bit)

--------------

Remember that they are waiting for a IKE request with AES256, SHA1 and
Group 2 (1024bit).

---------------
Only for ilustrational purposes, my other connection that works fine
is this one...
conn claro
        auto=start
        type=tunnel
        #LEFT:Human
        left=200.192.***.***
        leftnexthop=%defaultroute
        leftsubnet=200.192.***.***/32
        #RIGHT:Claro
        right=200.211.***.***
        rightnexthop=200.211.***.***
        rightsubnet=200.211.***.***/32
        authby=secret
        keyexchange=ike
        pfs=no
        auth=esp
        esp=3des-sha1
        compress=no
-----------------

Oh, and I've added the PSK in IPSEC.SECRETS, but I think this doesn't
have anything related to this problem.


Finally, my questions are...
Does IKE= still works in this version I'm using?
Is it possible to change IKE configuration? How?
Have I tried only inexistant string for this parameter?
Am I forgetting anything at all?


I thank in advance for any help...


Best regards,

Cassio Bobsin Machado

More information about the Users mailing list