[Openswan Users] Trouble figuring out how to connect Openswan client to Cisco VPN

Steven Don shd at earthling.net
Thu Apr 9 07:32:56 EDT 2009


> With the configuration generated by the pcf2os.pl script, the output changes, of 
> course. This is what happens:
> ---
> home:~ # /etc/init.d/ipsec start
> ipsec_setup: Starting Openswan IPsec U2.6.21/K2.6.23.11...
> home:~ # ipsec auto --verbose --up tst
> 002 "tst" #1: initiating Aggressive Mode #1, connection "tst"
> 112 "tst" #1: STATE_AGGR_I1: initiate
> 003 "tst" #1: Informational Exchange message must be encrypted
> 010 "tst" #1: STATE_AGGR_I1: retransmission; will wait 20s for response
> 003 "tst" #1: Informational Exchange message must be encrypted
> ---
> (That keeps looping, with 40s intervals)
*** More experimentation allowed it to connect once I changed the ike from 3des-
md5-modp1024 to 3des-sha1-modp1024. That at least got me to the point where I 
could enter my xauth username and password, which were accepted. The logs 
showed that it assigned me an IP address. The final result of that was:
---
pluto[28978]: "tst" #1: STATE_MAIN_I4: ISAKMP SA established
pluto[28978]: "tst" #2: initiating Quick Mode 
PSK+ENCRYPT+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 
msgid:036fda54 proposal=defaults pfsgroup=no-pfs}
pluto[28978]: "tst" #1: ignoring informational payload, type 
NO_PROPOSAL_CHOSEN msgid=00000000
---
>From what I could glean off searching the archives, wiki and Google, this would seem 
to indicate that a failure in phase 2 algorithm negotiation. I suppose that could be 
fixed by specifying the correct value(s) for phase2 and phase2alg/esp. Unfortunately, 
I don't have those values, nor do I know enough to make an educated guess.

Frustrated, I gave up and found vpnc instead ( http://www.unix-ag.uni-
kl.de/~massar/vpnc/ ). This was embarassingly simple and worked right out of the 
box!

>From vpnc's log output, it would appear that it ends up using ESP with 3DES 
encryption and SHA1 hashing (which might make sense, as that is also used in the 
initial connection). When I try setting this option (phase2alg=3des-sha1), it tells me:
---
034 "tst": can not initiate: no acceptable kernel algorithms loaded
---
in the log:
---
pluto[23555]: | kernel_alg_db_add() kernel auth aalg_id=3 not present
---
Which I find strange, as I have 3DES and SHA enabled in the kernel option (and they 
are being used in the 1st phase). The manpage for ipsec.conf mentions "Note also 
that not all ciphers available to the kernel (eg through CryptoAPI) are necessarilly 
supported here."

Is that what's biting me? If so, what can I do about this?

Although I'm happy that I'm able to connect now, it might be worth checking out what  
it is they do so that there is an easy way to set up a connection like this. I think it'd 
make a worthwhile addition to the Wiki too. I want to get to the bottom of this both for 
my own peace of mind and for others who might be struggling with an issue like this.

Kind regards,
  Steven Don


More information about the Users mailing list