[Openswan Users] ipsec.conf details for a regular client-to-gateway connection

Peter McGill petermcgill at goco.net
Fri Nov 14 09:54:55 EST 2008 

Thomas,

No, 1536 = group 5
1024 = group 2
So either use group 5 on the other end,
Or set to modp1024 on the Openswan end.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Thomas Novin
> Sent: November 14, 2008 5:46 AM
> To: Paul Wouters
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] ipsec.conf details for a 
> regular client-to-gateway connection
> 
> On Thu, 2008-11-13 at 17:01 -0500, Paul Wouters wrote:
> > On Thu, 13 Nov 2008, Thomas Novin wrote:
> > 
> > > conn test
> > >     auto=add
> > >     left=%defaultroute
> > >     #leftid=@test
> > >     right=33.33.33.33
> > >     rightsubnet=10.1.1.0/24
> > >     rightid=%any
> > 
> > You need to set an explicit ID when using aggressive mode and PSK,
> > for both leftid= and rightid=, because you can't trust the 
> IP address
> > for that, since it is dynamic.
> > >     keyingtries=3
> > >     pfs=yes
> > >     #pfsgroup=modp1024
> > >     auth=esp
> > >     authby=secret
> > >     esp=3des-md5-modp1536
> > 
> > Use esp=3des-md5;modp136 in newer openswan versions. Or 
> leave out the modp
> > bit, eg esp=3des-md5, and it will pick it up from the ike= line.
> > 
> > >     ike=3des-md5-modp1536
> > 
> > Don't set the modp in esp, the modp from ike will be used.
> 
> Thanks for the input but I still have a little way to go I think..
> 
> I could not use ike=3des-md5;modp136 (1536) because then I got this
> error:
> 
> Nov 14 11:24:40 thonov-ubuntu ipsec__plutorun: 034 esp string 
> error: Non
> alphanum or valid separator found in auth string, just after
> "3des-md5" (old_state=ST_AA)
> 
> I could however use ike=3des-md5-modp1536.
> 
> I have version 2.4.12.
> 
> My connection now looks like this:
> 
> ipsec.conf:
> conn test
>      auto=add
>      left=%defaultroute
>      leftid=44.44.44.44 # My External IP
>      right=33.33.33.33
>      rightsubnet=10.1.1.0/24
>      rightid=33.33.33.33 # Remote GW IP
>      keyingtries=3
>      pfs=yes
>      auth=esp
>      authby=secret
>      esp=3des-md5
>      ike=3des-md5-modp1536
>      aggrmode=yes
> 
> ipsec.secrets:
> 
> 44.44.44.44 172.17.1.41 33.33.33.33: PSK "thePSK"
> 
> And is it correct that DH 2 = modp1536?
> 
> When I try to connect with this entryI connect with '/usr/sbin/ipsec
> auto --up test' and I have restarted /etc/init.d/ipsec before doing
> that.
> 
> I can see one packet going out to the remote gw though (ISAKMP
> agressive) when looking with a sniffer. Probably the other end doesn't
> like what it sees because I get nothing back.
> 
> I took two screenshots of the setup in the other end:
> 
> https://xyz.pp.se/~thnov/up/Screenshot-Web%20Management%20-%20Mozilla%
> 20Firefox-2_edited.png
> https://xyz.pp.se/~thnov/up/Screenshot-Web%20Management%20-%20Mozilla%
> 20Firefox-3_edited.png
> 
> Rgds
> 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list