[Openswan Users] OpenSwan Configuration for Manual Keys

Brian Candler B.Candler at pobox.com
Fri Apr 14 19:34:55 CEST 2006

On Fri, Apr 14, 2006 at 10:39:40AM -0500, Jay Potter wrote:
> Just getting started with openswan and trying to set up a simple  vpn on 
> my local network using manual PSKs  I am trying to connect to an XP client.
> The Server is
> the xp client is
> In my ipsec.conf
>    I have added
> conn sample
>    left=
>    right=
>    spi=0x200
>    esp=3des-sha1
>    espenckey="la...ma"   ( full key is 24 characters long - same as 
> given to windows MMC)
>    espauthkey="la..ma"   ( full key is 24 characters long)

Windows doesn't support manual keying or assignment of SPI. You must use IKE
to negotiate the keys automatically.

Remove 'spi', 'espenckey', 'espauthkey'. The PSK which matches the one
Windows uses is to be found in ipsec.secrets

>    aggrmode=yes
>    pfs = yes

Windows doesn't support aggrmode, you must leave it off. Windows can support
pfs, but it needs special configuration to do so. Better to leave it off to

At least, the above is true if you are using the Microsoft IPSEC client. If
you're using some other software on the Windows side, then you should say
what it is (but I probably can't help you, as I only know the MS IPSEC
stack). But since you say MMC, I think you're using the MS IPSEC stack.



More information about the Users mailing list