[Openswan Users] Regarding Aggressive mode!!!

Nirmala Balu nirmala2005 at gmail.com
Thu Apr 6 14:13:05 CEST 2006


Skipped content of type multipart/alternative-------------- next part --------------
root at lac root]# ipsec auto --show --up lns-lac
+ exec
+ ipsec whack --name lns-lac --initiate
003 "lns-lac" #1: ASSERTION FAILED at spdb_struct.c:1233: trans->attr_cnt == 4
000 "lns-lac" #1: interface ipsec0/eth0 201.123.80.64
000 "lns-lac" #1: %myid = (none)
000 "lns-lac" #1: debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000 "lns-lac" #1:
000 "lns-lac" #1: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 "lns-lac" #1: algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 "lns-lac" #1: algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 "lns-lac" #1: algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 "lns-lac" #1:
000 "lns-lac" #1: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 "lns-lac" #1: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 "lns-lac" #1: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 "lns-lac" #1: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 "lns-lac" #1: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 "lns-lac" #1: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 "lns-lac" #1: algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 "lns-lac" #1: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 "lns-lac" #1: algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 "lns-lac" #1: algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 "lns-lac" #1: algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 "lns-lac" #1:
000 "lns-lac" #1: stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,72} attrs={0,1,48}
000 "lns-lac" #1:
000 "lns-lac" #1: "lns-lac": 192.168.80.0/24===201.123.80.64[C=IN, ST=karnataka, L=Bangalore, O=BEL, OU=CRL, CN=lac, E=lac at bel.crl.co.in]...201.123.80.136[C=IN, ST=karnataka, L=Bangalore, O=BEL, OU=CRL, CN=@lns, E=lns at bel.crl.co.in]===192.168.100.0/24; unrouted; eroute owner: #0
000 "lns-lac" #1: "lns-lac":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "lns-lac" #1: "lns-lac":   CAs: 'C=IN, ST=karnataka, L=Bangalore, O=BEL, OU=CRL, CN=vpn, E=vpn at bel.crl.co.in'...'C=IN, ST=karnataka, L=Bangalore, O=BEL, OU=CRL, CN=vpn, E=vpn at bel.crl.co.in'
000 "lns-lac" #1: "lns-lac":   ike_life: 3600s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "lns-lac" #1: "lns-lac":   policy: RSASIG+ENCRYPT+TUNNEL+DONTREKEY+UP+AGGRESSIVE+failurePASS; prio: 24,24; interface: eth0;
000 "lns-lac" #1: "lns-lac":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lns-lac" #1: "lns-lac":   IKE algorithms wanted: 7_128-2-18, flags=-strict
000 "lns-lac" #1: "lns-lac":   IKE algorithms found:  7_128-2_160-18,
000 "lns-lac" #1: "lns-lac":   ESP algorithms wanted: 12_256-2, flags=-strict
000 "lns-lac" #1: "lns-lac":   ESP algorithms loaded: 12_256-2, flags=-strict
000 "lns-lac" #1:
000 "lns-lac" #1: #1: "lns-lac":500 STATE_AGGR_I1 (sent AI1, expecting AR1); EVENT_SO_DISCARD in -4s; nodpd
000 "lns-lac" #1:
+ echo = 3

-------------- next part --------------
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	interfaces="ipsec0=eth0"
	plutodebug=all
	klipsdebug=all
	uniqueids=yes
	#plutoload=%search
	#plutostart=%search
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 private"
	# eg:
	# plutodebug="control parsing"
	#
	# Only enable klipsdebug=all if you are a developer
	#
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	# nat_traversal=yes
	# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12

# Add connections here

# sample VPN connection
conn lns-lac
		left=201.123.80.136
		ike=aes128-sha-modp8192
		esp=aes256-sha1
		#left=10.0.0.2
		leftsubnet=192.168.100.0/24
		leftid=@lns
		leftrsasigkey=%cert
		leftcert=lns.pem
	#	leftrsasigkey=0sAQNQYhB/r+t10EderXvxqCPp0FkwVioHezF02vdIfBXFfrnyAQlkSZGbQvXfZz1eZDPaceCyCQoEqS2etvEeA56lulLPYjjoU4ne+t4rm2n7+QUkw9NMViPIlS8kfuAvL5UQ0HWDXL0vANVwmYDRipK92M+Yl29yte2E7XsW3MWURQ==
		leftnexthop=201.123.80.64
		#leftnexthop=10.0.0.1
		right=201.123.80.64
		#right=10.0.0.1
		#rightsubnet=10.69.0.0/24
		rightsubnet=192.168.80.0/24
		rightid=@lac
		rightrsasigkey=%cert
		rightcert=lac.pem
	#	rightrsasigkey=0sAQPjkf+shqc1FvxUdVShlTsuKJIdZDkOFdZmF+eYvPziUzWIoWBQmldFMJ7YXcvsx/gWnGGgIn7HXJAnVzTR8HcIyaUtsRG44OvTP8pVBFQzwSKZaA5HuXMxJlSSyzXbz2n1AX1IFR1k0L+9Breem0CjQuTZsqEVfTsonnqZ1jXZIw==
		rightnexthop=201.123.80.136
		#rightnexthop=10.0.0.2
		authby=rsasig
		auth=esp
		compress=no
		rekey=no
		aggrmode=yes
		ikelifetime=1h
		keylife=1d 
		failureshunt=passthrough
		pfs=no
		auto=ignore

conn lns-lac-manual
		#left=10.0.0.2
		left=201.123.80.136
		leftsubnet=192.168.100.0/24
		leftnexthop=201.123.80.64
		right=201.123.80.64
		rightnexthop=201.123.80.136
		#leftnexthop=10.0.0.1
		#right=10.0.0.1
		rightsubnet=192.168.80.0/24
		#rightnexthop=10.0.0.2
		spi=0x500
		esp=3des-md5-96
		espenckey=0xd56486a7_ff483c4a_6928d78c_2ba7c6bd_43c746c0_38e44fdb
		espauthkey=0x0eeaa850_55351982_5ae5fd3e_d9ca609f	
				
#		right=201.123.80.64
#		left=201.123.80.136
#		# Left security gateway, subnet behind it, nexthop toward right.
#		left=10.0.0.1
#		leftsubnet=172.16.0.0/24
#		leftnexthop=10.22.33.44
#		# Right security gateway, subnet behind it, nexthop toward left.
#		right=10.12.12.1
#		rightsubnet=192.168.0.0/24
#		rightnexthop=10.101.102.103
#		# To authorize this connection, but not actually start it, 
#		# at startup, uncomment this.
#		auto=add
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



More information about the Users mailing list