[Openswan Users] ipsec.conf details for a regular client-to-gateway connection
Peter McGill
petermcgill at goco.net
Fri Nov 14 09:54:55 EST 2008
Thomas,
No, 1536 = group 5
1024 = group 2
So either use group 5 on the other end,
Or set to modp1024 on the Openswan end.
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Thomas Novin
> Sent: November 14, 2008 5:46 AM
> To: Paul Wouters
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] ipsec.conf details for a
> regular client-to-gateway connection
>
> On Thu, 2008-11-13 at 17:01 -0500, Paul Wouters wrote:
> > On Thu, 13 Nov 2008, Thomas Novin wrote:
> >
> > > conn test
> > > auto=add
> > > left=%defaultroute
> > > #leftid=@test
> > > right=33.33.33.33
> > > rightsubnet=10.1.1.0/24
> > > rightid=%any
> >
> > You need to set an explicit ID when using aggressive mode and PSK,
> > for both leftid= and rightid=, because you can't trust the
> IP address
> > for that, since it is dynamic.
> > > keyingtries=3
> > > pfs=yes
> > > #pfsgroup=modp1024
> > > auth=esp
> > > authby=secret
> > > esp=3des-md5-modp1536
> >
> > Use esp=3des-md5;modp136 in newer openswan versions. Or
> leave out the modp
> > bit, eg esp=3des-md5, and it will pick it up from the ike= line.
> >
> > > ike=3des-md5-modp1536
> >
> > Don't set the modp in esp, the modp from ike will be used.
>
> Thanks for the input but I still have a little way to go I think..
>
> I could not use ike=3des-md5;modp136 (1536) because then I got this
> error:
>
> Nov 14 11:24:40 thonov-ubuntu ipsec__plutorun: 034 esp string
> error: Non
> alphanum or valid separator found in auth string, just after
> "3des-md5" (old_state=ST_AA)
>
> I could however use ike=3des-md5-modp1536.
>
> I have version 2.4.12.
>
> My connection now looks like this:
>
> ipsec.conf:
> conn test
> auto=add
> left=%defaultroute
> leftid=44.44.44.44 # My External IP
> right=33.33.33.33
> rightsubnet=10.1.1.0/24
> rightid=33.33.33.33 # Remote GW IP
> keyingtries=3
> pfs=yes
> auth=esp
> authby=secret
> esp=3des-md5
> ike=3des-md5-modp1536
> aggrmode=yes
>
> ipsec.secrets:
>
> 44.44.44.44 172.17.1.41 33.33.33.33: PSK "thePSK"
>
> And is it correct that DH 2 = modp1536?
>
> When I try to connect with this entryI connect with '/usr/sbin/ipsec
> auto --up test' and I have restarted /etc/init.d/ipsec before doing
> that.
>
> I can see one packet going out to the remote gw though (ISAKMP
> agressive) when looking with a sniffer. Probably the other end doesn't
> like what it sees because I get nothing back.
>
> I took two screenshots of the setup in the other end:
>
> https://xyz.pp.se/~thnov/up/Screenshot-Web%20Management%20-%20Mozilla%
> 20Firefox-2_edited.png
> https://xyz.pp.se/~thnov/up/Screenshot-Web%20Management%20-%20Mozilla%
> 20Firefox-3_edited.png
>
> Rgds
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
More information about the Users
mailing list