[Openswan Users] Why won't the tunnel come up? (Was: Config file Question.)

Magnus Holmberg magnus.holmberg at pepto.se
Mon Feb 23 11:12:09 EST 2009 

Just recieved an e-mail saying that they use 256 bit so I changed the 
config to:

ike=aes256-sha1-modp1024
esp=aes256-sha1

Now it seems to pass step 1 and in it stays with:

Feb 23 17:05:41 fw pluto[19900]: "VPN" #17: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP to replace #16 {using isakmp#3}
Feb 23 17:06:51 fw pluto[19900]: "VPN" #17: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to 
our first Quick Mode message: perhaps peer likes no proposal
Feb 23 17:06:51 fw pluto[19900]: "VPN" #17: starting keying attempt 12 
of an unlimited number
Feb 23 17:06:51 fw pluto[19900]: "VPN" #18: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP to replace #17 {using isakmp#3}

What could be the problem here? Is there some more debug info I can turn on?

I realy hope that the book "/Building and Integrating Virtual Private 
Networks with Openswan/ " that I have ordered will arrive soon. I will 
surely need it.

BR

Magnus


>> e:
>>> Nothing in the information suggests that 256 bit AES is required.
>>> Also esp doesn't allow you to enter a DH group, instead it uses the 
>>> same
>>> group as phase 1 ike.
>>> I suggest the following changes accordingly, otherwise your conn 
>>> looks good.
>>>     ike=aes-sha1-modp1024
>>>     esp=aes-sha1
>>>
>>> Peter McGill
>>> IT Systems Analyst
>>> Gra Ham Energy Limited
>>>  
>>>> -----Original Message-----
>>>> From: users-bounces at openswan.org 
>>>> [mailto:users-bounces at openswan.org] On Behalf Of Magnus Holmberg
>>>> Sent: February 18, 2009 2:16 PM
>>>> To: Users at openswan.org
>>>> Subject: [Openswan Users] Config file Question.
>>>>
>>>> I like to setup a vpn connection to another server and recieved the 
>>>> information that it should be setup like:
>>>>
>>>> Encryption method: IKE
>>>> Transforms: ESP
>>>>
>>>> IKE Phase1:
>>>> Encryption algorithm: AES
>>>> Hash method: SHA1
>>>> Diffie-Hellman group: 2 (1024 bits)
>>>> IKE key lifetime: 28800sec
>>>>  
>>>> IKE Phase2:
>>>> Encryption algorithm: AES
>>>> Hash method: SHA1
>>>> Diffie-Hellman group: 2 (1024 bits)
>>>> IPsec key lifetime: 3600sec
>>>> Aggressive mode: disabled
>>>>
>>>>
>>>> Can someone help me with the config here.
>>>> IE i wounder what the esp= and ike should be set to.
>>>>
>>>>
>>>> Is this correct:
>>>>
>>>> conn VPN
>>>>        authby=secret
>>>>        auto=start
>>>>        rekey =yes
>>>>        left=x.x.x.x
>>>>        leftsubnet=x.x.x.x.192/28
>>>>        auth = esp
>>>>        keyexchange=ike
>>>>        ikelifetime=28800s
>>>>        keylife=3600s
>>>>        right=y.y.y.y
>>>>        rightsubnet=y.y.y/29
>>>>        ike=aes256-sha1-modp1024
>>>>        esp=aes256-sha1-modp1024
>>>>        dpddelay=3
>>>>        dpdtimeout=120
>>>>        dpdaction=restart
>>>>        aggrmode=no
>>>>
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Building and Integrating Virtual Private Networks with Openswan: 
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
>>>> 7?n=283155
>>>>     
>>>
>>>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090223/6a3d4854/attachment.html

More information about the Users mailing list