[Openswan Users] Vigor2600 & Openswan 2.4.5rc5

Ryley Breiddal rbreiddal at presinet.com
Mon Feb 20 11:45:10 CET 2006 

Roberto Fichera wrote:
> At 10.14 20/02/2006, Roberto Fichera wrote:
>  >At 20.29 19/02/2006, Paul Wouters wrote:
>  >
>  > >On Sat, 18 Feb 2006, Roberto Fichera wrote:
>  > >
>  > >> does anyone have some tips for the Draytek Vigor2600 (v2.5.5.3_I
>  >& v2.5.6_I)
>  > >> and
>  > >> Openswan interop because I'm getting some strance behaviour. The
>  >tunnel stay
>  > >> up
>  > >> for about one or two ours than I start to get error and the
>  >vigor2600 doesn't
>  > >> reconnect :
>  > >>
>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
>  responding to > >Main Mode
>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
>  >OAKLEY_DES_CBC is not
>  > >> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
>  >OAKLEY_DES_CBC is not
>  > >> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43: only
>  > >> OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported. 
>  Attribute > >> AKLEY_GROUP_DESCRIPTION
>  > >
>  > >Change the IKE option in the "advanced" popup to not use 1DES.
>  What is > >happening is that openswan as initiator works fine, but
>  when the Vigor > >turns to become the initiator at next rekey, it
>  fails because it is > >announcing 1DES insteaf of 3DES or AES?
>  >
>  >Ok! I'll try it!
> 
> I tried the configuration you suggest, but still the problem :-(!

I assume "the problem" isn't actually the same anymore, i.e. the log
isn't complaining about DES being set?  What does the log say now?

> On the Vigor side I changed:
> 
> Call direction: both
> Idel timeout: 3600 (secs)
> 
> IPSec security method:
> High(ESP): 3DES with Authentication
> 
> Advange Menu:
> IKE phase 1 proposal: 3DES_MD5_G2
> IKE phase 1 key lifetime: 28800 (default)
> IKE phase 2 key lifetime: 3600 (default)
> 
> on /etc/ipsec.conf
> 
> basically I tried auto=add and auto=start (current config)
> but the tunnel isn't rekeyed correctly.
> 
> Is the vigor2600 preferred to be the initiator and Openswan I had to
> set auto=add, or Openswan must be the initiator?

It should work both ways.  That being said, while you're testing this,
getting the vigor2600 to initiate the connection should make it
immediately obvious whether your settings are correct or not.

Without knowing the error it is showing in your logs, it never hurts to
match your key lifetimes in your connection definition in ipsec.conf:

ikelifetime=8h
keylife=1h

Regards,

Ryley Breiddal
PresiNET Systems

More information about the Users mailing list