[Openswan Users] Config file Question.

Mon Feb 23 02:28:53 EST 2009

Ok Thanks..

I guess that the other side are not complete yet.

I have one more small Question.

the right part of my net looks like:
172.30.29.8/29

In the log I get:

000 "VPN": X.X.X.192/28===213.Y.Y.Y...Z.Z.Z.Z===172.30.29.8/29; 
prospective erouted; eroute owner: #0

Do i have to do something more about the routing when there is a 
reserved net in the other end?

Peter McGill wrote:
> Those are not errors they are information messages, you can ignore them.
>
> The important messages are ISAKMP SA established and IPSec SA 
> established, together they indicate a successful connection.
>
> Peter
>
> Magnus Holmberg wrote:
>> I get something like this from whack
>>
>> 000 "XXX":   IKE algorithms wanted: BLOWFISH(7)_000-SHA1(2)-2, 
>> flags=strict
>> 000 "XXX":   IKE algorithms found:  BLOWFISH(7)_128-SHA1(2)_160-2,
>> 000 "XXX":   ESP algorithms wanted: AES(12)_000-SHA1(2), flags=strict
>> 000 "XXX":   ESP algorithms loaded: AES(12)_000-SHA1(2), flags=strict
>>
>> What am I doing wrong?
>>
>>
>>
>> Peter McGill wrote:
>>> Nothing in the information suggests that 256 bit AES is required.
>>> Also esp doesn't allow you to enter a DH group, instead it uses the 
>>> same
>>> group as phase 1 ike.
>>> I suggest the following changes accordingly, otherwise your conn 
>>> looks good.
>>>     ike=aes-sha1-modp1024
>>>     esp=aes-sha1
>>>
>>> Peter McGill
>>> IT Systems Analyst
>>> Gra Ham Energy Limited
>>>  
>>>> -----Original Message-----
>>>> From: users-bounces at openswan.org 
>>>> [mailto:users-bounces at openswan.org] On Behalf Of Magnus Holmberg
>>>> Sent: February 18, 2009 2:16 PM
>>>> To: Users at openswan.org
>>>> Subject: [Openswan Users] Config file Question.
>>>>
>>>> I like to setup a vpn connection to another server and recieved the 
>>>> information that it should be setup like:
>>>>
>>>> Encryption method: IKE
>>>> Transforms: ESP
>>>>
>>>> IKE Phase1:
>>>> Encryption algorithm: AES
>>>> Hash method: SHA1
>>>> Diffie-Hellman group: 2 (1024 bits)
>>>> IKE key lifetime: 28800sec
>>>>  
>>>> IKE Phase2:
>>>> Encryption algorithm: AES
>>>> Hash method: SHA1
>>>> Diffie-Hellman group: 2 (1024 bits)
>>>> IPsec key lifetime: 3600sec
>>>> Aggressive mode: disabled
>>>>
>>>>
>>>> Can someone help me with the config here.
>>>> IE i wounder what the esp= and ike should be set to.
>>>>
>>>>
>>>> Is this correct:
>>>>
>>>> conn VPN
>>>>        authby=secret
>>>>        auto=start
>>>>        rekey =yes
>>>>        left=x.x.x.x
>>>>        leftsubnet=x.x.x.x.192/28
>>>>        auth = esp
>>>>        keyexchange=ike
>>>>        ikelifetime=28800s
>>>>        keylife=3600s
>>>>        right=y.y.y.y
>>>>        rightsubnet=y.y.y/29
>>>>        ike=aes256-sha1-modp1024
>>>>        esp=aes256-sha1-modp1024
>>>>        dpddelay=3
>>>>        dpdtimeout=120
>>>>        dpdaction=restart
>>>>        aggrmode=no
>>>>
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Building and Integrating Virtual Private Networks with Openswan: 
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>>>> 7?n=283155
>>>>     
>>>
>>>   