[Openswan Users] OpenSwan Configuration for Manual Keys

Jay Potter jpotter at science.edu
Fri Apr 14 11:39:40 CEST 2006 

Just getting started with openswan and trying to set up a simple  vpn on 
my local network using manual PSKs  I am trying to connect to an XP client.
The Server is 172.21.210.2
the xp client is 172.21.210.3

In my ipsec.conf

    I have added

conn sample
    left=172.21.210.2
    right=172.21.210.3
    spi=0x200
    esp=3des-sha1
    espenckey="la...ma"   ( full key is 24 characters long - same as 
given to windows MMC)
    espauthkey="la..ma"   ( full key is 24 characters long)
    aggrmode=yes
    pfs = yes

I have specified the same psk in the windows client  (It is using 3des-sha1)

When I restart ipsec I get the following in the secure log

Starting Pluto (openswan Version 2.4.4 X.509-1.5.4 PLUTO_SENDS_VENDORID 
PLUTO_USES_KEYRR: Vendor ID 0Ez{FFFfgr_e
Setting NAT-Traversal port-4500 floating to off
    port floating activation criteria nat_t=0/port_fload=1
    including NAT-Traversal path (Version 0.6c) [disabled]
   ike_alg_register_ed(); Activating OAKLEY_AES_CBC: ok (ret=0)
starting up 1 crptographic helps
starting helper PID=4025 (fd:6)
Using Linux 2.6 IPsec inerface code on 2.6.11-1.35_FC3
Could not change to directory '/ect/ipsec.d/cacerts'
Could not change to directory 'etc/ipsec.d/aacerts'
Listening for IKE messages
adding interface eth0/eth0 172.21.210.2:500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"

So far so good (I think)

when I ping from 172.21.210.3 to 172.21.210.2 I get the following in the 
secure log
packet from 172.21.210.3:500:  ignoring Vendor ID payload [MS NT5 
ISAKMPOAKLEY 00000004]
packet from 172.21.210:3:500: ignoring Vendor ID payload [FRAGMENTATION]
packet from 172.21.210.3:500: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 172.21.210.3:500: ignoring Vendor ID payload 
[Vid-Initial-Contact]
packet from 172.21.210.3:500: initial Main Mode message receive on 
172.21.210.2:500 but no connection has been authorized.

This set is repeated for each ping attempt and finally

packet from 172.21.210.3:500: ignoring Delete SA payload: not encrypted
packet from 172.21.210.3:500: received and ignored informational message.

I'm sure that I've done (or haven't done) something stupid, but what am 
I forgetting?

Jay

More information about the Users mailing list