[Openswan Users] OpenSwan Configuration for Manual Keys

Jay Potter jpotter at science.edu
Fri Apr 14 14:55:00 CEST 2006 

Brian,

Ok, I've changed my ipsec.conf file the section for conn is now as follows

conn sample
   left=172.21.210.2
   right=172.21.210.3
   esp=3des-sha1

In ipsec.secrets I added the line

172.21.210.2 172.21.210.3 "la..ma" (full key is 24 characters long same 
as in windows MMC)

When I restarted ipsec I now get the following message in the secure log 
every 3 or 4 seconds.

"sample":  deleting connection
Restarting Pluto subsystem
Starting Pluto (Openswan Version 2.4.4 x.509-1.5.4 PLUTO_SENDS_VENDORID 
PLUTO_USES_KEYRR; Vendor ID 0Ez} FFFfgr_e)
Setting NAT-Traversal port-4500 floating to off
   port floating actiation criteria nat_t=0/port_fload=1
 including NAT-traversal patch (Version 0.6c) [disabled]
ike_Alg_register_end(); Activating OAKLEY_AES_CBC: ok (ret=0)
starting up 1 cryptographic helpers
started helper ped=12159  (fd:6)      (This number is different every time)
Using Linux 2.6 IPsec interface code on 2.6.11-1.35_FC3
Could not change to directory '/etc/ipsec.d/cacerts'
added connection description "sample"
listening for IKE messages
FATAL ERROR: bind() failed in find_raw_ifaces4()>  Errno 98:  Address 
already in use
"sample" deleting connection

My IT guy loaded ipsec:tools and I had tried to get racoon to work, that 
might be causing some sort of conflict.




Brian Candler wrote:

> On Fri, Apr 14, 2006 at 10:39:40AM -0500, Jay Potter wrote:
>  
>
>> Just getting started with openswan and trying to set up a simple  vpn 
>> on my local network using manual PSKs  I am trying to connect to an 
>> XP client.
>> The Server is 172.21.210.2
>> the xp client is 172.21.210.3
>>
>> In my ipsec.conf
>>
>>   I have added
>>
>> conn sample
>>   left=172.21.210.2
>>   right=172.21.210.3
>>   spi=0x200
>>   esp=3des-sha1
>>   espenckey="la...ma"   ( full key is 24 characters long - same as 
>> given to windows MMC)
>>   espauthkey="la..ma"   ( full key is 24 characters long)
>>   
>
>
> Windows doesn't support manual keying or assignment of SPI. You must 
> use IKE
> to negotiate the keys automatically.
>
> Remove 'spi', 'espenckey', 'espauthkey'. The PSK which matches the one
> Windows uses is to be found in ipsec.secrets
>
>  
>
>>   aggrmode=yes
>>   pfs = yes
>>   
>
>
> Windows doesn't support aggrmode, you must leave it off. Windows can 
> support
> pfs, but it needs special configuration to do so. Better to leave it 
> off to
> start.
>
> At least, the above is true if you are using the Microsoft IPSEC 
> client. If
> you're using some other software on the Windows side, then you should say
> what it is (but I probably can't help you, as I only know the MS IPSEC
> stack). But since you say MMC, I think you're using the MS IPSEC stack.
>
> Regards,
>
> Brian.
>
>
>  
>

More information about the Users mailing list