[Openswan Users] aggressive mode isakmp and dh2 (MODP1024)

Michael mjm159 at ext.canterbury.ac.nz
Sun May 8 19:35:42 CEST 2005 

Buaha!  I worked it out, although I have other problems now (naturally).
I just needed to change one line:

ike=3des-sha1-modp1024 # Rather obvious really

Now I'm getting ISAKMP Agressive replies from the server back to the
linux client.  I'm battling another problem now "STATE_AGGR_I1: INVALID_HASH_INFORMATION", which I presume is a problem with the shared keys (not helped by the fact that I misspelt the name of one of the nodes in ipsec.secrets!). I'm sure I'll get to the bottom of it.

Thanks,
Michael.

On Sun, 2005-05-08 at 16:58 +1200, Michael wrote:
> Hi,
> 
> I'm a newcomer to ipsec on linux.  I'm currently trying to prove that
> the equipment that the company I work for makes is compatible with linux
> freeswan (it does not currently exist on the list of openswan supported
> products).  Ideally, to impress a few people, I need to get this working
> with aggressive mode and xauth (openswan at the client side).
> 
> >From what I read xauth could be a problem, but I am still trying to
> overcome isakmp.  My device (the right side) reports that it is unhappy
> with the group description (DH 5) and so cannot proceed because the
> policy does not match what it is expecting.  My right hand side device
> does not support DH 5 but it does support DH 2.
> 
> I have googled and googled and googled again on this.  I cannot find a
> way to set DH 2 to be the first choice of the ipsec client.  Perhaps I
> am missing some fundamental peice of knowledge.  I would appreciate
> someone setting me straight!
> 
> Debian Linux with 2.6.8-2-686
> Linux Openswan U2.3.1/K2.6.8-2-686 (netkey)
> 
> /etc/ipsec.conf
> # basic configuration
> config setup
>         # Debug-logging controls:  "none" for (almost) none, "all" for
> lots.
>         klipsdebug=all
>         # plutodebug="control parsing"
>         plutodebug=all
> 
> # Add connections here
> 
> conn test
>         left=10.10.10.1
>         leftsubnet=10.10.10.0/29
>         leftnexthop=10.10.10.2
>         leftid=@test_roam_usr
>         right=10.10.10.2
>         rightsubnet=10.10.10.0/29
>         rightnexthop=10.10.10.1
>         aggrmode=yes
>         ike=3des-sha1
>         xauth=yes
>         authby=secret
>         auto=start
> 
> /etc/ipsec.secrets
> 10.10.10.1 10.10.10.2: PSK "0xfk7fb35663a9fe857451d5bad9518fb74a4b67d1"
> : RSA   {
>         # RSA 1024 bits   michael   Sun May  8 15:41:41 2005
> 		blah blah blah
> 
> Regards and thanks in advance,
> Michael.
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list