[Openswan Users] WRV200 <-> openswan key replacement problems

Christian Herzberg cherzberg at gmx.de
Tue Dec 11 15:08:53 EST 2007 

> Betreff: Re: [Openswan Users] WRV200 <-> openswan key replacement problems

> On Tue, 11 Dec 2007, Christian Herzberg wrote:
> 
> > I set up a VPN from several Linksys WRV200 to one SLES10 openswan
> server.
> > I use presharedkeys for each peer an i have fix ip addresses on both
> ends.
> 
> >         #esp=aes-128-md5!
> 
> > Hier is the config of the WRV200:
> >
> > Key Exchange           =  Auto
> > Operation Mode         =  main
> > ISAKMP Encryption      =  3DES
> > ISAKMP Authentica.     =  MD5
> > ISAKMP DH Group        =  Group 2: 1024-bits
> > ISAKMP Key Lifetime(s) =  288000
> > PFS                    =  enable
> > IPSec Encryption Method=  3DES
> > IPSec Authentication M.=  MD5
> > IPSec DH Group         =  Group 2: 1024-bits
> > IPSec Key Lifetime(s)  =  3600
> > Pre-Shared Key         =  aaaaaaaaaaaaaaaaaaaa
> 
> So use esp=3des-md5 and ike=3des-md5

I did the configuration and I gt no log entrys anymore on the SLES10 site.
But know openswan on the SLES site sayed that I have 5 tunnels open but I have only one configured on my test system. 
Looks like as they opened a new tunnel each time they should rekey.

> 
> > 403   [Tue 17:27:39]  "TunnelA" #797: sending encrypted notification
> INVALID_MESSAGE_ID to 80.81.242.54:500
> > 404   [Tue 17:27:49]  "TunnelA" #924: IPsec Transform [ESP_AES (128),
> AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
> 
> The default openswan proposal is to use aes first, then try 3des. Looks
> like for some reason the proposal
> is rejected, while no other proposals are tried. I think the linksys might
> be running very old code.

Could be. I can´t look into its firmware.

Thanks
Christian


> 
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list