[Openswan Users] WRV200 <-> openswan key replacement problems
cherzberg at gmx.de
Tue Dec 11 15:08:53 EST 2007
> Betreff: Re: [Openswan Users] WRV200 <-> openswan key replacement problems
> On Tue, 11 Dec 2007, Christian Herzberg wrote:
> > I set up a VPN from several Linksys WRV200 to one SLES10 openswan
> > I use presharedkeys for each peer an i have fix ip addresses on both
> > #esp=aes-128-md5!
> > Hier is the config of the WRV200:
> > Key Exchange = Auto
> > Operation Mode = main
> > ISAKMP Encryption = 3DES
> > ISAKMP Authentica. = MD5
> > ISAKMP DH Group = Group 2: 1024-bits
> > ISAKMP Key Lifetime(s) = 288000
> > PFS = enable
> > IPSec Encryption Method= 3DES
> > IPSec Authentication M.= MD5
> > IPSec DH Group = Group 2: 1024-bits
> > IPSec Key Lifetime(s) = 3600
> > Pre-Shared Key = aaaaaaaaaaaaaaaaaaaa
> So use esp=3des-md5 and ike=3des-md5
I did the configuration and I gt no log entrys anymore on the SLES10 site.
But know openswan on the SLES site sayed that I have 5 tunnels open but I have only one configured on my test system.
Looks like as they opened a new tunnel each time they should rekey.
> > 403 [Tue 17:27:39] "TunnelA" #797: sending encrypted notification
> INVALID_MESSAGE_ID to 126.96.36.199:500
> > 404 [Tue 17:27:49] "TunnelA" #924: IPsec Transform [ESP_AES (128),
> AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
> The default openswan proposal is to use aes first, then try 3des. Looks
> like for some reason the proposal
> is rejected, while no other proposals are tried. I think the linksys might
> be running very old code.
Could be. I can´t look into its firmware.
> Building and integrating Virtual Private Networks with Openswan:
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
More information about the Users