[Openswan Users] Help for configuration

Peter McGill petermcgill at goco.net
Mon Apr 23 12:24:45 EDT 2007 

> Date: Mon, 23 Apr 2007 16:22:18 +0200
> From: steve.morard at epfl.ch
> Subject: [Openswan Users] Help for configuration
> To: users at openswan.org
> 
> I'm new to openswan and I'm trying to configure it. I got the 
> following
> information from the gateway I have to open an IPSec tunnel with:
> 
> Authentication Method : Pre-Shared Secret
> Encryption Schema IKE
> Perfect Forward Secrecy-IKE : Diffie-Hellman Group 2
> Encryption Algorithm: AES128
> Hashing Algorith: SHA-1/MD5
> Renegotiation of IKE SA : 86400 seconds
> 
> IPSec : ESP
> Perfect Forward Secrecy-IPSEC: Diffie-Hellman Group 2
> Encryption Algorithm: AES128/3DES
> Hashing Algorithm IPSec: SHA-1/MD5
> Renegotiation of IPSec SA: 3600 seconds
> 
> My /etc/ipsec.conf looks like this
> version	2.0	# conforms to second version of 
> ipsec.conf specification
> 
> # basic configuration
> config setup
> 	# Debug-logging controls:  "none" for (almost) none, 
> "all" for lots.
> 	# klipsdebug=all
> 	# plutodebug=dns
> 
> 
> # Add connections here.
> 
> # sample VPN connection
> 	conn sample
> # Left security gateway, subnet behind it, next hop toward right.
> 	left=x.x.x.x
> 	leftnexthop=%defaultroute
> # Right security gateway, subnet behind it, next hop toward left.
> 	right=y.y.y.y
> 	rightnexthop=%defaultroute
> 
>         ike=aes128-md5;aes128-sha1
>         esp=aes128-sha1;aes128-md5;3des-sha1;3des-md5
>         ikelifetime=1d
>         keylife=1h
> # To authorize this connection, but not actually start it, at startup,
> 
> 	auto=start

Try:
	ike=aes128-sha1-modp1024,aes128-md5-modp1024
	esp=aes128-sha1,aes128-md5
	pfs=yes
	authby=secret
And in ipsec.secrets
x.x.x.x y.y.y.y : PSK "secret"

Otherwise looks good.

Peter

> 
> conn block
>     auto=ignore
> conn private
>     auto=ignore
> conn private-or-clear
>     auto=ignore
> conn clear-or-private
>     auto=ignore
> conn clear
>     auto=ignore
> conn packetdefault
>     auto=ignore
> 
> Is there something wrong or something missing in this 
> configuration file
> according to the details that I got ?

More information about the Users mailing list