[Openswan Users] Trying to use linux as VPN client

Peter McGill petermcgill at goco.net
Thu Nov 20 16:14:03 EST 2008 

Sebastiaan,

conn relate
	authby=secret
	pfs=yes
	rekey=yes
	keyingtries=3
	type=tunnel
	aggrmode=yes
	left=%defaultroute
	leftid="sebster at sebster.com"
	leftsubnet=10.31.13.5
	right=111.111.111.111
	rightsubnet=10.31.5/24
	ike=aes192-sha1-modp1024
	esp=aes192-sha1
	auto=add

Phase 2 (esp) will use the same group as
is specified for phase 1 (ike), so 1024.

I do not believe leftid should be prefixed.

Correct your ip address is not on the remote
subnet, this is because it's not a virtual
address but a real address. You'll need an
interface on your linux box which uses that
ip for it's address. Create a virtual interface
for it, if needed.

Regarding NAT-T, you need it if either you or the
Remote server is behind a natting router. In other
words if one of you doesn't have a public ip address,
and is using an address in 10/8, 172.16/12 or 192.168/16.

If your linux box connects directly to the internet,
no router involved and so does the remote vpn then you
do not need NAT-T.

To install NAT-T patch the kernel with the NAT-T patch,
then enable in your ipsec.conf.

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: Sebastiaan van Erk [mailto:sebster at sebster.com] 
> Sent: November 20, 2008 3:39 PM
> To: petermcgill at goco.net
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] Trying to use linux as VPN client
> 
> Hi,
> 
> Thanks for the answers! I think you're right that I don't want L2TP. 
> I've been reading the man page and trying stuff, but I'm still stuck 
> though I feel I'm making some progress now. I've taken your 
> suggestion 
> and modified my connection file to:
> 
> conn relate
>          authby=secret
>          pfs=yes
>          rekey=yes
>          keyingtries=3
>          type=tunnel
>          aggrmode=yes
>          left=%defaultroute
>          leftid="sebster at sebster.com"
>          right=111.111.111.111
>          rightsubnet=10.31.5/24
>          ike=aes192-sha1-modp1024
>          phase2alg=aes192-sha1
>          auto=add
> 
> Things I'm not sure about are the leftid (should it be prefixed with 
> E=?). Also I don't know how to specify my IP address on the 
> VPN subnet 
> (10.31.13.5). Which I also find kind of strange considering it's not 
> even on the rightsubnet (I copied these settings from GTA 
> mobile client, 
> and there it really says "address type: subnet, 
> 10.31.5.0/255.255.255.0" 
> with VPN client address 10.31.13.5). The GTA client settings were 
> provided to me by the sysadmin of the VPN server.
> 
> Another thing that I don't understand is the phase2alg: guessing from 
> the GTA mobile client config and the man page it should be:
> 
> 	phase2alg=aes192-sha1-modp1024
> 
> [The format for ESP is ENC-AUTH followed by an optional PFSgroup. For 
> instance, "3des-md5" or "aes256-sha1-modp2048". --- the man page]
> 
> However when I try this pluto starts to complain:
> 
> Nov 20 21:23:28 blauwoor pluto[29887]: esp string error: Non initial 
> digit found for auth keylen, just after "aes192-sha1-" 
> (old_state=ST_AA_END)
> 
> It then kills the "relate" connection, and I can't even attempt to 
> connect. On the other hand, when I don't add the modp1024 then I get 
> this in the log:
> 
> Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #1: 
> STATE_AGGR_I2: sent 
> AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 
> prf=oakley_sha group=modp1024}
> Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #2: initiating Quick 
> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 
> msgid:c60f69e7 proposal=AES(12)_192-SHA1(2)_160 
> pfsgroup=OAKLEY_GROUP_MODP1024}
> Nov 20 21:26:36 blauwoor pluto[30146]: "relate" #2: max number of 
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable 
> response to 
> our first Quick Mode message: perhaps peer likes no proposal
> 
> It actually looks ok from what I can see: aes192, sha1, and PFS group 
> DH1024.
> 
> I have the feeling I'm getting close but I'm still missing something. 
> I'm pretty sure that I need to do something with my VPN client IP and 
> I'm wondering about the format for the email id.
> 
> Regards,
> Sebastiaan
> 
> 
> Peter McGill wrote:
> > Sebastiaan,
> > 
> > Nothing here indicates that your using l2tp.
> > You should only have left/rightprotoport lines with l2tp.
> > And yes, type/mode should be tunnel, unless using l2tp.
> > 
> > Peter McGill
> > IT Systems Analyst
> > Gra Ham Energy Limited 
> > 
> >> -----Original Message-----
> >> From: users-bounces at openswan.org 
> >> [mailto:users-bounces at openswan.org] On Behalf Of Sebastiaan van Erk
> >> Sent: November 20, 2008 1:34 PM
> >> To: users at openswan.org
> >> Subject: Re: [Openswan Users] Trying to use linux as VPN client
> >>
> >> Hi,
> >>
> >> Thanks for the answer, and I figured as much, however I don't 
> >> know what
> >> part of the proposal the other end does not like... Also, I'm 
> >> a bit of a
> >> newbie, so I don't know what the STATE_QUICK_I1 means; does 
> >> it mean that
> >>    something succeeded (the STATE_AGGR_I2 stuff)? It 
> already took me a
> >> couple hours to actually get it that far, at first that was 
> >> failing too...
> >>
> >> In GTA client I have the following settings under "Phase 1
> >> (Authentication) (other than my preshared key and remote gateway):
> >>
> >> IKE:
> >> Encryption AES192, Authentication: SHA, Key Group: DH1024.
> >>
> >> Under "Advanced" it has:
> >> Aggressive mode enabled, NAT-T: Automatic (vs Disabled)
> >> Local id: Type: email, value: sebster at sebster.com
> >> Remote id: Type IP, value: the ipsec gateway
> >>
> >> In GTA client I have the following settings under "Phase 2 (IPSec
> >> Configuration):
> >>
> >> ESP
> >> Encryption: AES192, Authentication: SHA, Mode: Tunnel (oops, in my
> >> config file I had mode transport, so I guess that's wrong, 
> >> fixed it now
> >> and put it on mode tunnel, but it still gives the same output).
> >>
> >> PFS is checked, Group DH1024
> >>
> >> Those are all the options available.
> >>
> >> Is there a good way to debug this? I guess it's part of 
> the security
> >> that the other hand just plain says nothing instead of saying 
> >> what's wrong.
> >>
> >> Regards,
> >> Sebastiaan
> >>
> >>
> >>
> >>
> >> Paul Wouters wrote:
> >>> On Thu, 20 Nov 2008, Sebastiaan van Erk wrote:
> >>>
> >>>> $ ipsec auto --up relate
> >>>> 112 "relate" #1: STATE_AGGR_I1: initiate
> >>>> 003 "relate" #1: received Vendor ID payload [Dead Peer Detection]
> >>>> 004 "relate" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
> >>>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 prf=oakley_sha 
> >> group=modp1024}
> >>>> 117 "relate" #2: STATE_QUICK_I1: initiate
> >>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait 
> >> 20s for response
> >>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait 
> >> 40s for response
> >>> The other end does not like your proposal. You need to 
> >> figure out what it is
> >>> expecting from you.
> >>>
> >>> Paul
> > 
>

More information about the Users mailing list