[Openswan Users] OpenSwan Configuration for Manual Keys

Jay Potter jpotter at science.edu
Fri Apr 14 14:55:00 CEST 2006


Ok, I've changed my ipsec.conf file the section for conn is now as follows

conn sample

In ipsec.secrets I added the line "la..ma" (full key is 24 characters long same 
as in windows MMC)

When I restarted ipsec I now get the following message in the secure log 
every 3 or 4 seconds.

"sample":  deleting connection
Restarting Pluto subsystem
Starting Pluto (Openswan Version 2.4.4 x.509-1.5.4 PLUTO_SENDS_VENDORID 
PLUTO_USES_KEYRR; Vendor ID 0Ez} FFFfgr_e)
Setting NAT-Traversal port-4500 floating to off
   port floating actiation criteria nat_t=0/port_fload=1
 including NAT-traversal patch (Version 0.6c) [disabled]
ike_Alg_register_end(); Activating OAKLEY_AES_CBC: ok (ret=0)
starting up 1 cryptographic helpers
started helper ped=12159  (fd:6)      (This number is different every time)
Using Linux 2.6 IPsec interface code on 2.6.11-1.35_FC3
Could not change to directory '/etc/ipsec.d/cacerts'
added connection description "sample"
listening for IKE messages
FATAL ERROR: bind() failed in find_raw_ifaces4()>  Errno 98:  Address 
already in use
"sample" deleting connection

My IT guy loaded ipsec:tools and I had tried to get racoon to work, that 
might be causing some sort of conflict.

Brian Candler wrote:

> On Fri, Apr 14, 2006 at 10:39:40AM -0500, Jay Potter wrote:
>> Just getting started with openswan and trying to set up a simple  vpn 
>> on my local network using manual PSKs  I am trying to connect to an 
>> XP client.
>> The Server is
>> the xp client is
>> In my ipsec.conf
>>   I have added
>> conn sample
>>   left=
>>   right=
>>   spi=0x200
>>   esp=3des-sha1
>>   espenckey="la...ma"   ( full key is 24 characters long - same as 
>> given to windows MMC)
>>   espauthkey="la..ma"   ( full key is 24 characters long)
> Windows doesn't support manual keying or assignment of SPI. You must 
> use IKE
> to negotiate the keys automatically.
> Remove 'spi', 'espenckey', 'espauthkey'. The PSK which matches the one
> Windows uses is to be found in ipsec.secrets
>>   aggrmode=yes
>>   pfs = yes
> Windows doesn't support aggrmode, you must leave it off. Windows can 
> support
> pfs, but it needs special configuration to do so. Better to leave it 
> off to
> start.
> At least, the above is true if you are using the Microsoft IPSEC 
> client. If
> you're using some other software on the Windows side, then you should say
> what it is (but I probably can't help you, as I only know the MS IPSEC
> stack). But since you say MMC, I think you're using the MS IPSEC stack.
> Regards,
> Brian.

More information about the Users mailing list