[Openswan Users] Netgear DG834 (fwd)
Dale Taylor
dale at bluehall.net
Tue Feb 27 12:42:51 EST 2007
Im at a loss... should I download and install the latest version rather than
use the one in the debian repository?
Ipsec --verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.2.0/K2.4.27-3-386 (native)
Checking for IPsec support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets)
[FAILED]
ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Checking for 'setkey' command for native IPsec stack support [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: ourserver
[MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: *.*.0.194.in-addr.arpa.
[MISSING]
IPSEC --version:
Linux Openswan U2.2.0/K2.4.27-3-386 (native)
See `ipsec --copyright' for copyright information.
Regards
Dale
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: 27 February 2007 17:38
To: Dale Taylor
Cc: users at openswan.org
Subject: RE: [Openswan Users] Netgear DG834 (fwd)
On Tue, 27 Feb 2007, Dale Taylor wrote:
> I just did used the standard install from clean debian install, did
apt-get
> install openswan (and let it install all the dependancies).
>
> Using debian Sarge.
Idon't know anything specfic, Just verify you have modules loaded before
starting
openswan. I assume you are using netkey (ipsec --version will tell you)
Paul
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: 27 February 2007 17:33
> To: Dale Taylor
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] Netgear DG834 (fwd)
>
> On Tue, 27 Feb 2007, Dale Taylor wrote:
>
> > OK now im getting the following error as well:
> >
> > no IKE algorithms for this connection
>
> I am not sure why you are getting intermittent errors on availability of
> modules. The only thing i can think of is that autoloading modules is not
> working for you, and some modules get unloaded on restarting openswan.
> This would only be an issue for netkey, since klips uses its internal
crypto
> functions in openswan 2.4.x
>
> Paul
>
> > here is a copy of my log:
> >
> > Feb 27 17:40:40 leedscast pluto[12038]: packet from 82.26.*.*:1:
received
> > Vendor ID payload [Dead Peer Detection]
> > Feb 27 17:40:40 ourserver pluto[12038]: packet from 82.26.*.*:1: initial
> > Main Mode message received on 194.*.*.*:500 but no connection has been
> > authorized
> > Feb 27 17:40:43 ourserver pluto[12038]: added connection description
> > "conection"
> > Feb 27 17:40:54 ourserver pluto[12038]: "conection" #8: initiating Main
> Mode
> > Feb 27 17:41:15 ourserver pluto[12038]: "conection": deleting connection
> > Feb 27 17:41:15 ourserver pluto[12038]: "conection" #8: deleting state
> > (STATE_MAIN_I1)
> > Feb 27 17:42:52 ourserver pluto[12038]: ike string error: hash_alg not
> > found, enc_alg="3des", auth_alg="sha1", modp="modp1024"
> > Feb 27 17:42:52 ourserver pluto[12038]: added connection description
> > "conection"
> > Feb 27 17:42:59 ourserver pluto[12038]: "conection" #9: initiating Main
> Mode
> > Feb 27 17:42:59 ourserver pluto[12038]: | no IKE algorithms for this
> > connection
> > Feb 27 17:42:59 ourserver pluto[12038]: | no IKE algorithms for this
> > connection
> > Feb 27 17:42:59 ourserver pluto[12038]: | no ISAKMP SA algo proposal to
> send
> > -using default 3DES-MD5/SHA1
> >
> > If anyone can shed any light on this I would appreciate it.
> >
> > Regards
> >
> > Dale
> >
> > -----Original Message-----
> > From: Paul Wouters [mailto:paul at xelerance.com]
> > Sent: 26 February 2007 22:58
> > To: Dale Taylor
> > Cc: users at openswan.org
> > Subject: [Openswan Users] Netgear DG834 (fwd)
> >
> >
> > > 003 ike string error: hash_alg not found, enc_alg="3des",
> auth_alg="sha1",
> > > modp="modp1024"
> > >
> > > conn someone
> > > type=tunnel
> > > authby=secret
> > > keyexchange=ike
> > > auto=start
> > > pfs=no
> > > # aggrmode=yes
> > > ike=3des-sha1-modp1024
> > > esp=3des-sha1
> > > # LOCAL
> > > left=%defaultroute
> > > leftsubnet=192.168.10.0/24
> > > leftid=me at localid.org
> > > # REMOTE
> > > right=someone.dyndns.org
> > > rightsubnet=192.168.254.0/24
> > > rightnexthop=%defaultroute
> > > rightid=id at remoteid.org
> >
> > I added this to our test server and did: ipsec auto --add someone:
> >
> > Feb 26 23:29:56 testserver pluto[1879]: added connection description
> > "someone"
> >
> > What version of openswan is this? You can try using "sha" instead of
> "sha1"
> > for some older versions.
> >
> > > PFS: Off
> >
> > Your openswan config is using PFS. If possible you should change it on
the
> > other end as well. If you can't, add pfs=no and leave out the modpgroup
> > setting.
> >
> > Paul
> > --
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list