[Openswan Users] OpenSwan Configuration for Manual Keys

Jay Potter jpotter at science.edu
Fri Apr 14 15:38:33 CEST 2006 

Brian,

I found my mistake with ipsect.secutiry  The line needed to be at the 
top and be like the following

172.21.210.2  172.21.210.3 :PSK  "latomalatomalatomalatoma"

So the ipsec now restarts without generating an error.

When I try the ping I get the following in the Secure Log

packet from 172.21.210.3:500:  Ignoring Vendor ID payload [MS NT5 
ISAKMPOAKLEY 00000004]
packet from 172.21.210.3:500:  Ignorming Vendor ID payload [FRAGMENTATION]
packet from 172.21.210.3:500:  received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
packet from 172.21.210.3:500:  ignoring Vendor ID payload 
[Vid-Initial-Contact]
"sample" #1: :responding to Main Mode
"Sample" #1: only OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 
supported.  Attribute OAKLEY_GROUP_DESCRIPTION
"Sample" #1:  OAKLEY_DES_CBC is not supported.  Attribute 
OAKLEY_ENCRYPTION _ALGORITHM
"Sample" #1: sending notification NO_ROPOSAL_CHOSEN to 172.21.210.3:500 

and then it repeats for each ping

So it has changed but still no connection.

Any other suggestions?

Jay

Brian Candler wrote:

>On Fri, Apr 14, 2006 at 10:39:40AM -0500, Jay Potter wrote:
>  
>
>>Just getting started with openswan and trying to set up a simple  vpn on 
>>my local network using manual PSKs  I am trying to connect to an XP client.
>>The Server is 172.21.210.2
>>the xp client is 172.21.210.3
>>
>>In my ipsec.conf
>>
>>   I have added
>>
>>conn sample
>>   left=172.21.210.2
>>   right=172.21.210.3
>>   spi=0x200
>>   esp=3des-sha1
>>   espenckey="la...ma"   ( full key is 24 characters long - same as 
>>given to windows MMC)
>>   espauthkey="la..ma"   ( full key is 24 characters long)
>>    
>>
>
>Windows doesn't support manual keying or assignment of SPI. You must use IKE
>to negotiate the keys automatically.
>
>Remove 'spi', 'espenckey', 'espauthkey'. The PSK which matches the one
>Windows uses is to be found in ipsec.secrets
>
>  
>
>>   aggrmode=yes
>>   pfs = yes
>>    
>>
>
>Windows doesn't support aggrmode, you must leave it off. Windows can support
>pfs, but it needs special configuration to do so. Better to leave it off to
>start.
>
>At least, the above is true if you are using the Microsoft IPSEC client. If
>you're using some other software on the Windows side, then you should say
>what it is (but I probably can't help you, as I only know the MS IPSEC
>stack). But since you say MMC, I think you're using the MS IPSEC stack.
>
>Regards,
>
>Brian.
>
>
>  
>

More information about the Users mailing list