[Openswan Users] ipsec.conf details for a regular client-to-gateway connection

Thomas Novin thomas at xyz.pp.se
Fri Nov 14 05:45:41 EST 2008 

On Thu, 2008-11-13 at 17:01 -0500, Paul Wouters wrote:
> On Thu, 13 Nov 2008, Thomas Novin wrote:
> 
> > conn test
> >     auto=add
> >     left=%defaultroute
> >     #leftid=@test
> >     right=33.33.33.33
> >     rightsubnet=10.1.1.0/24
> >     rightid=%any
> 
> You need to set an explicit ID when using aggressive mode and PSK,
> for both leftid= and rightid=, because you can't trust the IP address
> for that, since it is dynamic.
> >     keyingtries=3
> >     pfs=yes
> >     #pfsgroup=modp1024
> >     auth=esp
> >     authby=secret
> >     esp=3des-md5-modp1536
> 
> Use esp=3des-md5;modp136 in newer openswan versions. Or leave out the modp
> bit, eg esp=3des-md5, and it will pick it up from the ike= line.
> 
> >     ike=3des-md5-modp1536
> 
> Don't set the modp in esp, the modp from ike will be used.

Thanks for the input but I still have a little way to go I think..

I could not use ike=3des-md5;modp136 (1536) because then I got this
error:

Nov 14 11:24:40 thonov-ubuntu ipsec__plutorun: 034 esp string error: Non
alphanum or valid separator found in auth string, just after
"3des-md5" (old_state=ST_AA)

I could however use ike=3des-md5-modp1536.

I have version 2.4.12.

My connection now looks like this:

ipsec.conf:
conn test
     auto=add
     left=%defaultroute
     leftid=44.44.44.44 # My External IP
     right=33.33.33.33
     rightsubnet=10.1.1.0/24
     rightid=33.33.33.33 # Remote GW IP
     keyingtries=3
     pfs=yes
     auth=esp
     authby=secret
     esp=3des-md5
     ike=3des-md5-modp1536
     aggrmode=yes

ipsec.secrets:

44.44.44.44 172.17.1.41 33.33.33.33: PSK "thePSK"

And is it correct that DH 2 = modp1536?

When I try to connect with this entryI connect with '/usr/sbin/ipsec
auto --up test' and I have restarted /etc/init.d/ipsec before doing
that.

I can see one packet going out to the remote gw though (ISAKMP
agressive) when looking with a sniffer. Probably the other end doesn't
like what it sees because I get nothing back.

I took two screenshots of the setup in the other end:

https://xyz.pp.se/~thnov/up/Screenshot-Web%20Management%20-%20Mozilla%
20Firefox-2_edited.png
https://xyz.pp.se/~thnov/up/Screenshot-Web%20Management%20-%20Mozilla%
20Firefox-3_edited.png

Rgds

More information about the Users mailing list