[Openswan Users] openswan to Instagate
Peter McGill
petermcgill at goco.net
Fri Jun 1 16:11:36 EDT 2007
> Date: Fri, 01 Jun 2007 13:38:08 -0400
> From: ACasella <antony.casella at sand.com>
> Subject: Re: [Openswan Users] openswan to Instagate
> To: users <users at openswan.org>
>
> Here are the requested Openswan ipsec command ouputs. Looks
> like I have
> some errors even though I can create an openswan to openswan
> connection:
>
> ipsec --version
> Linux Openswan U2.4.5/K2.6.20-1.2948.fc6 (netkey)
> See `ipsec --copyright' for copyright information.
>
> ipsec verify
> Checking your system to see if IPsec got installed and started
> correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.4.5/K2.6.20-1.2948.fc6 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects
> [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/send_redirects
> or NETKEY will cause the sending of bogus ICMP redirects!
>
> NETKEY detected, testing for disabled ICMP accept_redirects
> [FAILED]
>
> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
> or NETKEY will accept bogus ICMP redirects!
>
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support
> [DISABLED]
>
> Here are the pluto logs after a restart and debug = none:
>
> /var/log/messages:Jun 1 11:59:29 secure ipsec__plutorun: 003
> "/etc/ipsec.secrets" line 4: premature end of RSA key
Looks like you have an error in your secrets file.
If you only have this connection, then you secrets file should look like this:
207.61.yyy.yyy 72.55.xxx.xxx : PSK "secret"
This error repeats a number of times.
> /var/log/secure:Jun 1 12:02:18 secure pluto[20251]:
> "/etc/ipsec.secrets" line 4: premature end of RSA key
> /var/log/secure:Jun 1 12:02:26 secure pluto[20251]:
> "host-to-host" #1:
> initiating Main Mode
> /var/log/secure:Jun 1 12:02:26 secure pluto[20251]: packet from
> 207.61.yyy.yyy:500: ignoring informational payload, type
> NO_PROPOSAL_CHOSEN
NO_PROPOSAL_CHOSEN indicates that the two sides cannot aggree on
What encryption options to use. Ie) 3des-md5-modp1024, pfs
> On Fri, 2007-06-01 at 09:27 -0400, Peter McGill wrote:
> > > Date: Thu, 31 May 2007 15:02:59 -0400
> > > From: ACasella <antony.casella at sand.com>
> > > Subject: Re: [Openswan Users] openswan to Instagate
> > > To: users <users at openswan.org>
> > >
> > > Thank you for your reply. I've tried the suggested
> configuration and
> > > I'm not getting anything different back from the
> instagate appliance.
> > > I've turned on "debug" mode on the instagate and this is
> the output:
> > >
> > > Is there any other debugging information that I can
> provide from the
> > > openswan side that might be of help?
> >
> > On the openswan machine, execute the following and copy the
> results into
> > The message body.
> > ipsec --version
> > And
> > ipsec verify
> >
> > Also, make sure that plutodebug and klipsdebug are both set
> to none in conf.
> > (Normally there is enouph info in the normal logs, debug
> options just make
> > Longer and harder to read, so leave them off unless asked
> to set them.)
> > Then, restart openswan and attempt to connect again.
> > Use the following to find the logs:
> > egrep -e 'pluto' /var/log/*
> > Send us the full pluto logs for your last restart and
> connection attempt
> > that you just did, in the message body too.
> >
> > Peter
> >
> > > On Thu, 2007-05-31 at 14:39 -0400, Peter McGill wrote:
> > > > > Date: Thu, 31 May 2007 14:11:46 -0400
> > > > > From: ACasella <antony.casella at sand.com>
> > > > > Subject: [Openswan Users] openswan to Instagate
> > > > > To: users at openswan.org
> > > > >
> > > > > I'm trying to interconnect a host-to-host connection to
> > > an instagate
> > > > > firewall appliance (basically it looks like it runs
> either free or
> > > > > openswan on redhat).
> > > > >
> > > > > I think I am falling short on the IKE/ESP settings on the
> > > > > openswan side
> > > > > in my configuration as I cannot initiate the connection.
> > > > >
> > > > > When I initiate an ipsec auto --up host-to-host from my
> > > > > openswan server,
> > > > > The instagate appliance responds with NO_PROPOSAL_CHOSEN:
> > > > >
> > > > > The instagate has limited choices for various IKE, DH and SPF.
> > > > >
> > > > > The defaults are: 3DES enc,SHA-1 auth,DH2
> > > > > and : 3DES enc, MD5 auth, DH2
> > > > > Strict PFS is disabled.
> > > > > Key refresh is 24 hours
> > > > > And key management is preshared key.
> > > > >
> > > > > My conf is
> > > > >
> > > > > conn host-to-host
> > > > > type=tunnel
> > > > > authby=secret
> > > > > left=207.61.yyy.yyy
> > > > > leftid=@yyyy
> > > > > leftnexthop=%defaultroute
> > > > > right=72.55.xxx.xxx
> > > > > rightid=@xxxx
> > > > > rightnexthop=%defaultroute
> > > > > esp=3des-md5-96,3des-sha1
> > > > > keyexchange= ike
> > > > > pfs= no
> > > > > auto=add
> > > >
> > > > ike=3des-sha1-modp1024,3des-md5-modp1024
> > > > esp=3des-sha1,3des-md5
> > > > keyexchange=ike
> > > > pfs=no
> > > >
> > > > Specify the above ike and esp lines, also I'm not sure if
> > > > the whitespace after the = on the keyexchange and pfs
> > > > lines matters or not so I took it out.
>
> Date: Fri, 01 Jun 2007 13:48:44 -0400
> From: ACasella <antony.casella at sand.com>
> Subject: Re: [Openswan Users] openswan to Instagate
> To: users <users at openswan.org>
>
> Thank you for your response. Instagate only has a web
> interface to the
> device for administration so there is no other way to get
> configuration
> information other than a gui. Below id my best attempt to translate
> this to text I have sent logs of openswan in another post:
>
> Name
>
> Available Enabled
> Network
> Local Host to Remote
> Host
>
> Key Management
> Automatic (Shared
> Secret)
> Network Settings
> Remote Host IP Address
>
> Key Management Settings
> Shared Secret
>
> I also have a button for IKE and IPSEC
>
> For IKE
> IKE Settings Key Refresh Hours Minutes or KB Strict PFS Enabled
> Aggressive Mode Enabled
>
> Proposals
> High Security
> High Performance
> Custom
> Available
>
> Active
> 3DES Enc, MD5 Auth, DH 1
> 3DES Enc, SHA-1 Auth, DH
> 1 AES 128-bit Enc, MD5
> Auth, DH 1 AES 128-bit
> Enc, MD5 Auth, DH 2 AES
> 128-bit Enc, SHA-1 Auth,
> DH 1 AES 128-bit Enc,
> SHA-1 Auth, DH 2 AES
> 192-bit Enc, MD5 Auth,
> DH 1 AES 192-bit Enc,
> MD5 Auth, DH 2 AES
> 192-bit Enc, SHA-1 Auth,
> DH 1 AES 192-bit Enc,
> SHA-1 Auth, DH 2 AES
> 256-bit Enc, MD5 Auth,
> DH 1 AES 256-bit Enc,
> MD5 Auth, DH 2 AES
> 256-bit Enc, SHA-1 Auth,
> DH 1 AES 256-bit Enc,
> SHA-1 Auth, DH 2 DES
> Enc, MD5 Auth, DH 1 DES
> Enc, MD5 Auth, DH 2 DES
> Enc, SHA-1 Auth, DH 1
> DES Enc, SHA-1 Auth, DH
> 2
>
> 3DES Enc, SHA-1 Auth, DH
> 2
> 3DES Enc, MD5 Auth, DH
> 2
> Changes to Proposals will affect other VPNs: host-to-host
>
> For IPSEC button:
>
> IPSec Settings
> Key Refresh
> Hours Minutes or KB
> PFS Disabled Group 1 Group 2
>
> Proposals Proposal High Security High Performance Custom
>
> Available
>
> Active
> No Enc, MD5 Auth No Enc,
> SHA-1 Auth AES 128-bit
> Enc, MD5 Auth AES
> 128-bit Enc, SHA-1 Auth
> AES 192-bit Enc, MD5
> Auth AES 192-bit Enc,
> SHA-1 Auth AES 256-bit
> Enc, MD5 Auth AES
> 256-bit Enc, SHA-1 Auth
> DES Enc, MD5 Auth DES
> Enc, SHA-1 Auth
>
> 3DES Enc, SHA-1 Auth
> 3DES Enc, MD5
> Auth
I can't tell are these all on, or are some off?
You should not have any No Enc on.
You should not have any DH 1 on.
You should not have any Aggressive Mode on.
You should not have and DES (Single DES) on.
(3DES, Triple DES is ok.)
If you can turning pfs on will increase security.
It's best to only turn on the settings your using.
3des-md5-modp1024 in openswan
3DES Enc, MD5 Auth, DH 2 in instagate.
More information about the Users
mailing list