[Openswan Users]

Paul Wouters paul at xelerance.com
Fri Sep 2 16:50:15 CEST 2005


On Fri, 2 Sep 2005, jack.li wrote:

What happens if you use pfs=no?

Paul

> Date: Fri, 2 Sep 2005 15:41:38 +0800
> From: jack.li <jack.li at 360degreeweb.com.cn>
> To: Users at openswan.org
> Subject: [Openswan Users]
> 
> hi!
>
>    I build VPN tunnel between openswan-2.4.0 and winxp-sp2.
>
> my network topology:
>    192.168.1.89(winxp-sp2)===========192.168.1.83(openswan-2.4.0 in linux)
>
> I want to build a host-host vpn tunnel(192.168.1.83/32  -> 192.168.1.89/32).
> When testing I encounter that IKE negotiation fail when start IKE from openswan-2.4.0.
> If start IKE from winxp-sp2, all is ok.
> Follow is my configuration:
> ipsec.conf file:
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> config setup
> interfaces=" ipsec0=eth0 "
> klipsdebug=none
> plutodebug=all
> nat_traversal=yes
> uniqueids=no
> conn %default
> keyingtries=0
> disablearrivalcheck=no
> conn conn1_ike1_1
> auto=start
> type=tunnel
> keyexchange=ike
> left=192.168.1.83
> #leftsubnet=192.168.1.83/255.255.255.255
> #rightsubnet=192.168.1.89/255.255.255.255
> right=192.168.1.89
> leftnexthop=192.168.1.89
> ike=3des-sha-modp1024
> authby=secret
> dpddelay=30s
> dpdtimeout=120s
> keylife=28800
> rekey=yes
> rekeymargin=1m
> ikelifetime=3600
> esp=3des-sha1-96
> pfs=yes
>
> ipsec.secrets file:
> 192.168.1.83 192.168.1.89 : "123456"
>
> when fail I found ISAKMP SA established and phase 2 state is "sent QI1, expecting QR1".
> in /var/log/secret file, there is info "ignoring informational payload, type INVALID_ID_INFORMATION".
>
> attachment is  /var/log/secret file.
>
>
> When I test with winxp-sp1, there is no this issue.
>
>
>
>

-- 

"With Data mining, we can search specifically for clues"

--- The AIVD (The Dutch NSA) on the necessity of ISP's data retension


More information about the Users mailing list