[Openswan Users] Vigor2600 & Openswan 2.4.5rc5

Roberto Fichera kernel at tekno-soft.it
Mon Feb 20 18:58:06 CET 2006 

At 10.14 20/02/2006, Roberto Fichera wrote:
 >At 20.29 19/02/2006, Paul Wouters wrote:
 >
 > >On Sat, 18 Feb 2006, Roberto Fichera wrote:
 > >
 > >> does anyone have some tips for the Draytek Vigor2600 (v2.5.5.3_I
 >& v2.5.6_I)
 > >> and
 > >> Openswan interop because I'm getting some strance behaviour. The
 >tunnel stay
 > >> up
 > >> for about one or two ours than I start to get error and the
 >vigor2600 doesn't
 > >> reconnect :
 > >>
 > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43: responding to
 > >Main Mode
 > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
 >OAKLEY_DES_CBC is not
 > >> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
 > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
 >OAKLEY_DES_CBC is not
 > >> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
 > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43: only
 > >> OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.  Attribute
 > >> AKLEY_GROUP_DESCRIPTION
 > >
 > >Change the IKE option in the "advanced" popup to not use 1DES. What is
 > >happening is that openswan as initiator works fine, but when the Vigor
 > >turns to become the initiator at next rekey, it fails because it is
 > >announcing 1DES insteaf of 3DES or AES?
 >
 >Ok! I'll try it!

I tried the configuration you suggest, but still the problem :-(!
On the Vigor side I changed:

Call direction: both
Idel timeout: 3600 (secs)

IPSec security method:
High(ESP): 3DES with Authentication

Advange Menu:
IKE phase 1 proposal: 3DES_MD5_G2
IKE phase 1 key lifetime: 28800 (default)
IKE phase 2 key lifetime: 3600 (default)

on /etc/ipsec.conf

basically I tried auto=add and auto=start (current config)
but the tunnel isn't rekeyed correctly.

Could you tell me what's the best configuration for the vigor2600?

Is the vigor2600 preferred to be the initiator and Openswan I had to
set auto=add, or Openswan must be the initiator?

 >
 > >
 > >Paul
 >
 >Roberto Fichera.
 >
 >_______________________________________________
 >Users at openswan.org
 >http://lists.openswan.org/mailman/listinfo/users
 >Building and Integrating Virtual Private Networks with Openswan:
 >http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
 >

Roberto Fichera.

More information about the Users mailing list