[Openswan Users] Trying to use linux as VPN client
Peter McGill
petermcgill at goco.net
Thu Nov 20 13:56:15 EST 2008
Sebastiaan,
Nothing here indicates that your using l2tp.
You should only have left/rightprotoport lines with l2tp.
And yes, type/mode should be tunnel, unless using l2tp.
Peter McGill
IT Systems Analyst
Gra Ham Energy Limited
> -----Original Message-----
> From: users-bounces at openswan.org
> [mailto:users-bounces at openswan.org] On Behalf Of Sebastiaan van Erk
> Sent: November 20, 2008 1:34 PM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Trying to use linux as VPN client
>
> Hi,
>
> Thanks for the answer, and I figured as much, however I don't
> know what
> part of the proposal the other end does not like... Also, I'm
> a bit of a
> newbie, so I don't know what the STATE_QUICK_I1 means; does
> it mean that
> something succeeded (the STATE_AGGR_I2 stuff)? It already took me a
> couple hours to actually get it that far, at first that was
> failing too...
>
> In GTA client I have the following settings under "Phase 1
> (Authentication) (other than my preshared key and remote gateway):
>
> IKE:
> Encryption AES192, Authentication: SHA, Key Group: DH1024.
>
> Under "Advanced" it has:
> Aggressive mode enabled, NAT-T: Automatic (vs Disabled)
> Local id: Type: email, value: sebster at sebster.com
> Remote id: Type IP, value: the ipsec gateway
>
> In GTA client I have the following settings under "Phase 2 (IPSec
> Configuration):
>
> ESP
> Encryption: AES192, Authentication: SHA, Mode: Tunnel (oops, in my
> config file I had mode transport, so I guess that's wrong,
> fixed it now
> and put it on mode tunnel, but it still gives the same output).
>
> PFS is checked, Group DH1024
>
> Those are all the options available.
>
> Is there a good way to debug this? I guess it's part of the security
> that the other hand just plain says nothing instead of saying
> what's wrong.
>
> Regards,
> Sebastiaan
>
>
>
>
> Paul Wouters wrote:
> > On Thu, 20 Nov 2008, Sebastiaan van Erk wrote:
> >
> >> $ ipsec auto --up relate
> >> 112 "relate" #1: STATE_AGGR_I1: initiate
> >> 003 "relate" #1: received Vendor ID payload [Dead Peer Detection]
> >> 004 "relate" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
> >> {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 prf=oakley_sha
> group=modp1024}
> >> 117 "relate" #2: STATE_QUICK_I1: initiate
> >> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait
> 20s for response
> >> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait
> 40s for response
> >
> > The other end does not like your proposal. You need to
> figure out what it is
> > expecting from you.
> >
> > Paul
>
More information about the Users
mailing list