[Openswan Users] Openswan 2.4.4 on FC5 against OpenBSD 4.0 isakmpd server

Albert Chin openswan-users at mlists.thewrittenword.com
Wed Nov 22 18:01:02 EST 2006


On Wed, Nov 22, 2006 at 12:51:47PM -0600, Albert Chin wrote:
> On Wed, Nov 22, 2006 at 04:17:20PM +0100, Paul Wouters wrote:
> > On Wed, 22 Nov 2006, Albert Chin wrote:
> > 
> > >      quick auth algorithm enc algorithm group group
> > >            These parameters define the cryptographic transforms to be used for
> > >            quick mode.  Possible values for auth, enc, and group are described
> > >            below in CRYPTO TRANSFORMS.  If group is specified, Perfect Forward
> > >            Security (PFS) is used.  If the value none is used, PFS is dis-
> > >            abled.
> > >            If omitted, ipsecctl(8) will use the default values hmac-sha2-256
> > >            and aes; PFS will only be used if the remote side requests it.
> > 
> > sha2? Openswan does not support sha2.
> > 
> > so try using pfs=yes and esp=aes-sha1
> 
> I tried this but no change. Still cannot get pass Phase 2. I changed
> /etc/ipsec.conf on the OpenBSD box to:
>   ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
>     quick auth hmac-sha1 enc aes \
>     srcid vpn.thewrittenword.com dstid home.thewrittenword.com

Ok, found the problem. Based on the above, I should have set
leftsubnet and rightsubnet to set the correct SA. Once I did this,
Phase 2 worked.

-- 
albert chin (china at thewrittenword.com)


More information about the Users mailing list