[Openswan Users] Openswan 2.4.4 on FC5 against OpenBSD 4.0 isakmpd server
Albert Chin
openswan-users at mlists.thewrittenword.com
Wed Nov 22 18:01:02 EST 2006
On Wed, Nov 22, 2006 at 12:51:47PM -0600, Albert Chin wrote:
> On Wed, Nov 22, 2006 at 04:17:20PM +0100, Paul Wouters wrote:
> > On Wed, 22 Nov 2006, Albert Chin wrote:
> >
> > > quick auth algorithm enc algorithm group group
> > > These parameters define the cryptographic transforms to be used for
> > > quick mode. Possible values for auth, enc, and group are described
> > > below in CRYPTO TRANSFORMS. If group is specified, Perfect Forward
> > > Security (PFS) is used. If the value none is used, PFS is dis-
> > > abled.
> > > If omitted, ipsecctl(8) will use the default values hmac-sha2-256
> > > and aes; PFS will only be used if the remote side requests it.
> >
> > sha2? Openswan does not support sha2.
> >
> > so try using pfs=yes and esp=aes-sha1
>
> I tried this but no change. Still cannot get pass Phase 2. I changed
> /etc/ipsec.conf on the OpenBSD box to:
> ike passive esp from 192.168.1.0/24 to 192.168.6.0/24 \
> quick auth hmac-sha1 enc aes \
> srcid vpn.thewrittenword.com dstid home.thewrittenword.com
Ok, found the problem. Based on the above, I should have set
leftsubnet and rightsubnet to set the correct SA. Once I did this,
Phase 2 worked.
--
albert chin (china at thewrittenword.com)
More information about the Users
mailing list