[Openswan Users] WRV200 <-> openswan key replacement problems

Paul Wouters paul at xelerance.com
Tue Dec 11 13:46:34 EST 2007


On Tue, 11 Dec 2007, Christian Herzberg wrote:

> I set up a VPN from several Linksys WRV200 to one SLES10 openswan server.
> I use presharedkeys for each peer an i have fix ip addresses on both ends.

>         #esp=aes-128-md5!

> Hier is the config of the WRV200:
>
> Key Exchange           =  Auto
> Operation Mode         =  main
> ISAKMP Encryption      =  3DES
> ISAKMP Authentica.     =  MD5
> ISAKMP DH Group        =  Group 2: 1024-bits
> ISAKMP Key Lifetime(s) =  288000
> PFS                    =  enable
> IPSec Encryption Method=  3DES
> IPSec Authentication M.=  MD5
> IPSec DH Group         =  Group 2: 1024-bits
> IPSec Key Lifetime(s)  =  3600
> Pre-Shared Key         =  aaaaaaaaaaaaaaaaaaaa

So use esp=3des-md5 and ike=3des-md5

> 403   [Tue 17:27:39]  "TunnelA" #797: sending encrypted notification INVALID_MESSAGE_ID to 80.81.242.54:500
> 404   [Tue 17:27:49]  "TunnelA" #924: IPsec Transform [ESP_AES (128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag

The default openswan proposal is to use aes first, then try 3des. Looks like for some reason the proposal
is rejected, while no other proposals are tried. I think the linksys might be running very old code.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list