[Openswan Users] Config file Question.

Peter McGill petermcgill at goco.net
Fri Feb 20 10:32:56 EST 2009 

Those are not errors they are information messages, you can ignore them.

The important messages are ISAKMP SA established and IPSec SA 
established, together they indicate a successful connection.

Peter

Magnus Holmberg wrote:
> I get something like this from whack
> 
> 000 "XXX":   IKE algorithms wanted: BLOWFISH(7)_000-SHA1(2)-2, flags=strict
> 000 "XXX":   IKE algorithms found:  BLOWFISH(7)_128-SHA1(2)_160-2,
> 000 "XXX":   ESP algorithms wanted: AES(12)_000-SHA1(2), flags=strict
> 000 "XXX":   ESP algorithms loaded: AES(12)_000-SHA1(2), flags=strict
> 
> What am I doing wrong?
> 
> 
> 
> Peter McGill wrote:
>> Nothing in the information suggests that 256 bit AES is required.
>> Also esp doesn't allow you to enter a DH group, instead it uses the same
>> group as phase 1 ike.
>> I suggest the following changes accordingly, otherwise your conn looks good.
>> 	ike=aes-sha1-modp1024
>> 	esp=aes-sha1
>>
>> Peter McGill
>> IT Systems Analyst
>> Gra Ham Energy Limited 
>>
>>   
>>> -----Original Message-----
>>> From: users-bounces at openswan.org 
>>> [mailto:users-bounces at openswan.org] On Behalf Of Magnus Holmberg
>>> Sent: February 18, 2009 2:16 PM
>>> To: Users at openswan.org
>>> Subject: [Openswan Users] Config file Question.
>>>
>>> I like to setup a vpn connection to another server and recieved the 
>>> information that it should be setup like:
>>>
>>> Encryption method: IKE
>>> Transforms: ESP
>>>
>>> IKE Phase1:
>>> Encryption algorithm: AES
>>> Hash method: SHA1
>>> Diffie-Hellman group: 2 (1024 bits)
>>> IKE key lifetime: 28800sec
>>>  
>>> IKE Phase2:
>>> Encryption algorithm: AES
>>> Hash method: SHA1
>>> Diffie-Hellman group: 2 (1024 bits)
>>> IPsec key lifetime: 3600sec
>>> Aggressive mode: disabled
>>>
>>>
>>> Can someone help me with the config here.
>>> IE i wounder what the esp= and ike should be set to.
>>>
>>>
>>> Is this correct:
>>>
>>> conn VPN
>>>        authby=secret
>>>        auto=start
>>>        rekey =yes
>>>        left=x.x.x.x
>>>        leftsubnet=x.x.x.x.192/28
>>>        auth = esp
>>>        keyexchange=ike
>>>        ikelifetime=28800s
>>>        keylife=3600s
>>>        right=y.y.y.y
>>>        rightsubnet=y.y.y/29
>>>        ike=aes256-sha1-modp1024
>>>        esp=aes256-sha1-modp1024
>>>        dpddelay=3
>>>        dpdtimeout=120
>>>        dpdaction=restart
>>>        aggrmode=no
>>>
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Building and Integrating Virtual Private Networks with Openswan: 
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>>> 7?n=283155
>>>     
>>
>>

More information about the Users mailing list