[Openswan Users] Vigor2600 & Openswan 2.4.5rc5

Roberto Fichera kernel at tekno-soft.it
Tue Feb 21 10:19:59 CET 2006


At 20.45 20/02/2006, Ryley Breiddal wrote:
 >Roberto Fichera wrote:
 >> At 10.14 20/02/2006, Roberto Fichera wrote:
 >>  >At 20.29 19/02/2006, Paul Wouters wrote:
 >>  >
 >>  > >On Sat, 18 Feb 2006, Roberto Fichera wrote:
 >>  > >
 >>  > >> does anyone have some tips for the Draytek Vigor2600 (v2.5.5.3_I
 >>  >& v2.5.6_I)
 >>  > >> and
 >>  > >> Openswan interop because I'm getting some strance behaviour. The
 >>  >tunnel stay
 >>  > >> up
 >>  > >> for about one or two ours than I start to get error and the
 >>  >vigor2600 doesn't
 >>  > >> reconnect :
 >>  > >>
 >>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
 >>  responding to > >Main Mode
 >>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
 >>  >OAKLEY_DES_CBC is not
 >>  > >> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
 >>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43:
 >>  >OAKLEY_DES_CBC is not
 >>  > >> supported.  Attribute OAKLEY_ENCRYPTION_ALGORITHM
 >>  > >> Feb 18 00:08:46 vpn pluto[31374]: "vigor2600-vpn" #43: only
 >>  > >> OAKLEY_GROUP_MODP1024 and OAKLEY_GROUP_MODP1536 supported.
 >>  Attribute > >> AKLEY_GROUP_DESCRIPTION
 >>  > >
 >>  > >Change the IKE option in the "advanced" popup to not use 1DES.
 >>  What is > >happening is that openswan as initiator works fine, but
 >>  when the Vigor > >turns to become the initiator at next rekey, it
 >>  fails because it is > >announcing 1DES insteaf of 3DES or AES?
 >>  >
 >>  >Ok! I'll try it!
 >>
 >> I tried the configuration you suggest, but still the problem :-(!
 >
 >I assume "the problem" isn't actually the same anymore, i.e. the log
 >isn't complaining about DES being set?  What does the log say now?

I'm testing another configuration as Paul suggest. Basically I had to set the
Openswan as initiator with a sort keylife in order to avoid Virgor's being as
initiator itself.

 >
 >> On the Vigor side I changed:
 >>
 >> Call direction: both
 >> Idel timeout: 3600 (secs)
 >>
 >> IPSec security method:
 >> High(ESP): 3DES with Authentication
 >>
 >> Advange Menu:
 >> IKE phase 1 proposal: 3DES_MD5_G2
 >> IKE phase 1 key lifetime: 28800 (default)
 >> IKE phase 2 key lifetime: 3600 (default)
 >>
 >> on /etc/ipsec.conf
 >>
 >> basically I tried auto=add and auto=start (current config)
 >> but the tunnel isn't rekeyed correctly.
 >>
 >> Is the vigor2600 preferred to be the initiator and Openswan I had to
 >> set auto=add, or Openswan must be the initiator?
 >
 >It should work both ways.  That being said, while you're testing this,
 >getting the vigor2600 to initiate the connection should make it
 >immediately obvious whether your settings are correct or not.
 >
 >Without knowing the error it is showing in your logs, it never hurts to
 >match your key lifetimes in your connection definition in ipsec.conf:
 >
 >ikelifetime=8h
 >keylife=1h

I'll sent the log later today, I would test the configuration where the virgor
is dial-in only. In the meanwhile I'll set those as 2h and 1h on 
Openswan side,
while on the vigor side those will be the default 8h and 1h, just be sure
that virgor doesn't initiate the rekey :-\!

 >
 >Regards,
 >
 >Ryley Breiddal
 >PresiNET Systems
 >
 >_______________________________________________
 >Users at openswan.org
 >http://lists.openswan.org/mailman/listinfo/users
 >Building and Integrating Virtual Private Networks with Openswan:
 >http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155

Roberto Fichera. 



More information about the Users mailing list