[Openswan Users] Trying to use linux as VPN client

Sebastiaan van Erk sebster at sebster.com
Thu Nov 20 15:38:45 EST 2008 

Hi,

Thanks for the answers! I think you're right that I don't want L2TP. 
I've been reading the man page and trying stuff, but I'm still stuck 
though I feel I'm making some progress now. I've taken your suggestion 
and modified my connection file to:

conn relate
         authby=secret
         pfs=yes
         rekey=yes
         keyingtries=3
         type=tunnel
         aggrmode=yes
         left=%defaultroute
         leftid="sebster at sebster.com"
         right=111.111.111.111
         rightsubnet=10.31.5/24
         ike=aes192-sha1-modp1024
         phase2alg=aes192-sha1
         auto=add

Things I'm not sure about are the leftid (should it be prefixed with 
E=?). Also I don't know how to specify my IP address on the VPN subnet 
(10.31.13.5). Which I also find kind of strange considering it's not 
even on the rightsubnet (I copied these settings from GTA mobile client, 
and there it really says "address type: subnet, 10.31.5.0/255.255.255.0" 
with VPN client address 10.31.13.5). The GTA client settings were 
provided to me by the sysadmin of the VPN server.

Another thing that I don't understand is the phase2alg: guessing from 
the GTA mobile client config and the man page it should be:

	phase2alg=aes192-sha1-modp1024

[The format for ESP is ENC-AUTH followed by an optional PFSgroup. For 
instance, "3des-md5" or "aes256-sha1-modp2048". --- the man page]

However when I try this pluto starts to complain:

Nov 20 21:23:28 blauwoor pluto[29887]: esp string error: Non initial 
digit found for auth keylen, just after "aes192-sha1-" (old_state=ST_AA_END)

It then kills the "relate" connection, and I can't even attempt to 
connect. On the other hand, when I don't add the modp1024 then I get 
this in the log:

Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #1: STATE_AGGR_I2: sent 
AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 
prf=oakley_sha group=modp1024}
Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #2: initiating Quick 
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 
msgid:c60f69e7 proposal=AES(12)_192-SHA1(2)_160 
pfsgroup=OAKLEY_GROUP_MODP1024}
Nov 20 21:26:36 blauwoor pluto[30146]: "relate" #2: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to 
our first Quick Mode message: perhaps peer likes no proposal

It actually looks ok from what I can see: aes192, sha1, and PFS group 
DH1024.

I have the feeling I'm getting close but I'm still missing something. 
I'm pretty sure that I need to do something with my VPN client IP and 
I'm wondering about the format for the email id.

Regards,
Sebastiaan


Peter McGill wrote:
> Sebastiaan,
> 
> Nothing here indicates that your using l2tp.
> You should only have left/rightprotoport lines with l2tp.
> And yes, type/mode should be tunnel, unless using l2tp.
> 
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited 
> 
>> -----Original Message-----
>> From: users-bounces at openswan.org 
>> [mailto:users-bounces at openswan.org] On Behalf Of Sebastiaan van Erk
>> Sent: November 20, 2008 1:34 PM
>> To: users at openswan.org
>> Subject: Re: [Openswan Users] Trying to use linux as VPN client
>>
>> Hi,
>>
>> Thanks for the answer, and I figured as much, however I don't 
>> know what
>> part of the proposal the other end does not like... Also, I'm 
>> a bit of a
>> newbie, so I don't know what the STATE_QUICK_I1 means; does 
>> it mean that
>>    something succeeded (the STATE_AGGR_I2 stuff)? It already took me a
>> couple hours to actually get it that far, at first that was 
>> failing too...
>>
>> In GTA client I have the following settings under "Phase 1
>> (Authentication) (other than my preshared key and remote gateway):
>>
>> IKE:
>> Encryption AES192, Authentication: SHA, Key Group: DH1024.
>>
>> Under "Advanced" it has:
>> Aggressive mode enabled, NAT-T: Automatic (vs Disabled)
>> Local id: Type: email, value: sebster at sebster.com
>> Remote id: Type IP, value: the ipsec gateway
>>
>> In GTA client I have the following settings under "Phase 2 (IPSec
>> Configuration):
>>
>> ESP
>> Encryption: AES192, Authentication: SHA, Mode: Tunnel (oops, in my
>> config file I had mode transport, so I guess that's wrong, 
>> fixed it now
>> and put it on mode tunnel, but it still gives the same output).
>>
>> PFS is checked, Group DH1024
>>
>> Those are all the options available.
>>
>> Is there a good way to debug this? I guess it's part of the security
>> that the other hand just plain says nothing instead of saying 
>> what's wrong.
>>
>> Regards,
>> Sebastiaan
>>
>>
>>
>>
>> Paul Wouters wrote:
>>> On Thu, 20 Nov 2008, Sebastiaan van Erk wrote:
>>>
>>>> $ ipsec auto --up relate
>>>> 112 "relate" #1: STATE_AGGR_I1: initiate
>>>> 003 "relate" #1: received Vendor ID payload [Dead Peer Detection]
>>>> 004 "relate" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
>>>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 prf=oakley_sha 
>> group=modp1024}
>>>> 117 "relate" #2: STATE_QUICK_I1: initiate
>>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait 
>> 20s for response
>>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait 
>> 40s for response
>>> The other end does not like your proposal. You need to 
>> figure out what it is
>>> expecting from you.
>>>
>>> Paul
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3315 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20081120/e81563d5/attachment.bin

More information about the Users mailing list