[Openswan Users] OpenSwan Configuration for Manual Keys

Jay Potter jpotter at science.edu
Fri Apr 14 15:38:33 CEST 2006


I found my mistake with ipsect.secutiry  The line needed to be at the 
top and be like the following :PSK  "latomalatomalatomalatoma"

So the ipsec now restarts without generating an error.

When I try the ping I get the following in the Secure Log

packet from  Ignoring Vendor ID payload [MS NT5 
packet from  Ignorming Vendor ID payload [FRAGMENTATION]
packet from  received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from  ignoring Vendor ID payload 
"sample" #1: :responding to Main Mode
"Sample" #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 
supported.  Attribute OAKLEY_GROUP_DESCRIPTION
"Sample" #1:  OAKLEY_DES_CBC is not supported.  Attribute 
"Sample" #1: sending notification NO_ROPOSAL_CHOSEN to 

and then it repeats for each ping

So it has changed but still no connection.

Any other suggestions?


Brian Candler wrote:

>On Fri, Apr 14, 2006 at 10:39:40AM -0500, Jay Potter wrote:
>>Just getting started with openswan and trying to set up a simple  vpn on 
>>my local network using manual PSKs  I am trying to connect to an XP client.
>>The Server is
>>the xp client is
>>In my ipsec.conf
>>   I have added
>>conn sample
>>   left=
>>   right=
>>   spi=0x200
>>   esp=3des-sha1
>>   espenckey="la...ma"   ( full key is 24 characters long - same as 
>>given to windows MMC)
>>   espauthkey="la..ma"   ( full key is 24 characters long)
>Windows doesn't support manual keying or assignment of SPI. You must use IKE
>to negotiate the keys automatically.
>Remove 'spi', 'espenckey', 'espauthkey'. The PSK which matches the one
>Windows uses is to be found in ipsec.secrets
>>   aggrmode=yes
>>   pfs = yes
>Windows doesn't support aggrmode, you must leave it off. Windows can support
>pfs, but it needs special configuration to do so. Better to leave it off to
>At least, the above is true if you are using the Microsoft IPSEC client. If
>you're using some other software on the Windows side, then you should say
>what it is (but I probably can't help you, as I only know the MS IPSEC
>stack). But since you say MMC, I think you're using the MS IPSEC stack.

More information about the Users mailing list