[Openswan Users] Trying to use linux as VPN client
Sebastiaan van Erk
sebster at sebster.com
Thu Nov 20 17:26:25 EST 2008
Hi,
Peter McGill wrote:
> Sebastiaan,
>
> conn relate
> authby=secret
> pfs=yes
> rekey=yes
> keyingtries=3
> type=tunnel
> aggrmode=yes
> left=%defaultroute
> leftid="sebster at sebster.com"
> leftsubnet=10.31.13.5
> right=111.111.111.111
> rightsubnet=10.31.5/24
> ike=aes192-sha1-modp1024
> esp=aes192-sha1
> auto=add
> Phase 2 (esp) will use the same group as
> is specified for phase 1 (ike), so 1024.
>
> I do not believe leftid should be prefixed.
I guess since phase 1 is succeeding (I think?) that it should be ok.
> Correct your ip address is not on the remote
> subnet, this is because it's not a virtual
> address but a real address. You'll need an
> interface on your linux box which uses that
> ip for it's address. Create a virtual interface
> for it, if needed.
Ok, I created a new virtual interface (eth1:1) with the 10.31.13.15
though I'm unsure of the netmask I should be giving it.
I added an interfaces section to the config setup:
interfaces="ipsec0=eth1:1"
And I tried several variations of the above config file (it complains
that the / part is missing from leftsubnet, so I tried /32 on it). I
also tried left=10.31.13.15. However I'm still getting the same "no
response to quick mode message"...
> Regarding NAT-T, you need it if either you or the
> Remote server is behind a natting router. In other
> words if one of you doesn't have a public ip address,
> and is using an address in 10/8, 172.16/12 or 192.168/16.
>
> If your linux box connects directly to the internet,
> no router involved and so does the remote vpn then you
> do not need NAT-T.
>
> To install NAT-T patch the kernel with the NAT-T patch,
> then enable in your ipsec.conf.
I will certainly be needing NAT then!
Thanks again for all the help, I feel that we're getting closer. :-)
Regards,
Sebastiaan
> Peter McGill
> IT Systems Analyst
> Gra Ham Energy Limited
>
>> -----Original Message-----
>> From: Sebastiaan van Erk [mailto:sebster at sebster.com]
>> Sent: November 20, 2008 3:39 PM
>> To: petermcgill at goco.net
>> Cc: users at openswan.org
>> Subject: Re: [Openswan Users] Trying to use linux as VPN client
>>
>> Hi,
>>
>> Thanks for the answers! I think you're right that I don't want L2TP.
>> I've been reading the man page and trying stuff, but I'm still stuck
>> though I feel I'm making some progress now. I've taken your
>> suggestion
>> and modified my connection file to:
>>
>> conn relate
>> authby=secret
>> pfs=yes
>> rekey=yes
>> keyingtries=3
>> type=tunnel
>> aggrmode=yes
>> left=%defaultroute
>> leftid="sebster at sebster.com"
>> right=111.111.111.111
>> rightsubnet=10.31.5/24
>> ike=aes192-sha1-modp1024
>> phase2alg=aes192-sha1
>> auto=add
>>
>> Things I'm not sure about are the leftid (should it be prefixed with
>> E=?). Also I don't know how to specify my IP address on the
>> VPN subnet
>> (10.31.13.5). Which I also find kind of strange considering it's not
>> even on the rightsubnet (I copied these settings from GTA
>> mobile client,
>> and there it really says "address type: subnet,
>> 10.31.5.0/255.255.255.0"
>> with VPN client address 10.31.13.5). The GTA client settings were
>> provided to me by the sysadmin of the VPN server.
>>
>> Another thing that I don't understand is the phase2alg: guessing from
>> the GTA mobile client config and the man page it should be:
>>
>> phase2alg=aes192-sha1-modp1024
>>
>> [The format for ESP is ENC-AUTH followed by an optional PFSgroup. For
>> instance, "3des-md5" or "aes256-sha1-modp2048". --- the man page]
>>
>> However when I try this pluto starts to complain:
>>
>> Nov 20 21:23:28 blauwoor pluto[29887]: esp string error: Non initial
>> digit found for auth keylen, just after "aes192-sha1-"
>> (old_state=ST_AA_END)
>>
>> It then kills the "relate" connection, and I can't even attempt to
>> connect. On the other hand, when I don't add the modp1024 then I get
>> this in the log:
>>
>> Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #1:
>> STATE_AGGR_I2: sent
>> AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_192
>> prf=oakley_sha group=modp1024}
>> Nov 20 21:25:27 blauwoor pluto[30146]: "relate" #2: initiating Quick
>> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1
>> msgid:c60f69e7 proposal=AES(12)_192-SHA1(2)_160
>> pfsgroup=OAKLEY_GROUP_MODP1024}
>> Nov 20 21:26:36 blauwoor pluto[30146]: "relate" #2: max number of
>> retransmissions (2) reached STATE_QUICK_I1. No acceptable
>> response to
>> our first Quick Mode message: perhaps peer likes no proposal
>>
>> It actually looks ok from what I can see: aes192, sha1, and PFS group
>> DH1024.
>>
>> I have the feeling I'm getting close but I'm still missing something.
>> I'm pretty sure that I need to do something with my VPN client IP and
>> I'm wondering about the format for the email id.
>>
>> Regards,
>> Sebastiaan
>>
>>
>> Peter McGill wrote:
>>> Sebastiaan,
>>>
>>> Nothing here indicates that your using l2tp.
>>> You should only have left/rightprotoport lines with l2tp.
>>> And yes, type/mode should be tunnel, unless using l2tp.
>>>
>>> Peter McGill
>>> IT Systems Analyst
>>> Gra Ham Energy Limited
>>>
>>>> -----Original Message-----
>>>> From: users-bounces at openswan.org
>>>> [mailto:users-bounces at openswan.org] On Behalf Of Sebastiaan van Erk
>>>> Sent: November 20, 2008 1:34 PM
>>>> To: users at openswan.org
>>>> Subject: Re: [Openswan Users] Trying to use linux as VPN client
>>>>
>>>> Hi,
>>>>
>>>> Thanks for the answer, and I figured as much, however I don't
>>>> know what
>>>> part of the proposal the other end does not like... Also, I'm
>>>> a bit of a
>>>> newbie, so I don't know what the STATE_QUICK_I1 means; does
>>>> it mean that
>>>> something succeeded (the STATE_AGGR_I2 stuff)? It
>> already took me a
>>>> couple hours to actually get it that far, at first that was
>>>> failing too...
>>>>
>>>> In GTA client I have the following settings under "Phase 1
>>>> (Authentication) (other than my preshared key and remote gateway):
>>>>
>>>> IKE:
>>>> Encryption AES192, Authentication: SHA, Key Group: DH1024.
>>>>
>>>> Under "Advanced" it has:
>>>> Aggressive mode enabled, NAT-T: Automatic (vs Disabled)
>>>> Local id: Type: email, value: sebster at sebster.com
>>>> Remote id: Type IP, value: the ipsec gateway
>>>>
>>>> In GTA client I have the following settings under "Phase 2 (IPSec
>>>> Configuration):
>>>>
>>>> ESP
>>>> Encryption: AES192, Authentication: SHA, Mode: Tunnel (oops, in my
>>>> config file I had mode transport, so I guess that's wrong,
>>>> fixed it now
>>>> and put it on mode tunnel, but it still gives the same output).
>>>>
>>>> PFS is checked, Group DH1024
>>>>
>>>> Those are all the options available.
>>>>
>>>> Is there a good way to debug this? I guess it's part of
>> the security
>>>> that the other hand just plain says nothing instead of saying
>>>> what's wrong.
>>>>
>>>> Regards,
>>>> Sebastiaan
>>>>
>>>>
>>>>
>>>>
>>>> Paul Wouters wrote:
>>>>> On Thu, 20 Nov 2008, Sebastiaan van Erk wrote:
>>>>>
>>>>>> $ ipsec auto --up relate
>>>>>> 112 "relate" #1: STATE_AGGR_I1: initiate
>>>>>> 003 "relate" #1: received Vendor ID payload [Dead Peer Detection]
>>>>>> 004 "relate" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
>>>>>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_192 prf=oakley_sha
>>>> group=modp1024}
>>>>>> 117 "relate" #2: STATE_QUICK_I1: initiate
>>>>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait
>>>> 20s for response
>>>>>> 010 "relate" #2: STATE_QUICK_I1: retransmission; will wait
>>>> 40s for response
>>>>> The other end does not like your proposal. You need to
>>>> figure out what it is
>>>>> expecting from you.
>>>>>
>>>>> Paul
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3315 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.openswan.org/pipermail/users/attachments/20081120/8ac05be2/attachment-0001.bin
More information about the Users
mailing list