[Openswan Users] connection problem

emmanuel trillaud etrillaud at ntsys.fr
Wed Jan 7 09:36:25 EST 2009 

Hello,
I'm trying to configure a VPN and I have somme problem during connexion.

--- conf file

# basic configuration
config setup
	plutodebug="all"
	# klipsdebug="crypt pfkey natt"
 	klipsdebug="all"
 	#
 	# Only enable klipsdebug=all if you are a developer
 	#
 	interfaces="ipsec0=eth0"
	protostack=netkey
 	# NAT-TRAVERSAL support, see README.NAT-Traversal
 	nat_traversal=no
 	#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,!%v4:10.1.0.0/24,!%v4:192.168.0.0/24,!%v4:10.114.6.248/249
 	#
	# enable this if you see "failed to find any available worker"
	nhelpers=0
 	myid=91.xxx.xxx.xxx															
# Add connections here
#
#connection DGFIP
conn dgfip
	type=tunnel
	pfs=no
	keyingtries=3
	#disablearrivalcheck=no
	# preference : cipher=3des hash=md5 DH group 2
	#ike=aes-sha1,aes-md5,3des-sha1,3des-md5,3des-sha1-modp1024,3des-md5-modp1024,aes-sha1-modp1536,aes-md5-modp1536,3des-sha1-modp1536,3des-md5-modp1536
        ike=3des-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1536,3des-md5-modp1536,aes-sha1-modp1024,aes-sha1-modp1536
	esp=aes-sha1,aes-md5,3des-sha1,3des-md5
	authby=secret
	left=91.xxx.xxx.xxx	
	leftsourceip=10.1.0.1
	leftsubnet=10.1.0.0/24
	#leftnexthop=91.xxx.xxx.xxx
	right=83.xxx.xxx.xxx
	rightsubnet=10.114.6.248/29
 	rightsourceip=10.114.6.249
	auto=start
#
# sample VPN connections, see /etc/ipsec.d/examples/
#
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
#

---Log file

000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 91.xxx.xxx.xxx
000 interface eth0:0/eth0:0 91.xxx.xxx.xxx
000 interface eth0/eth0 192.168.1.1
000 interface eth0/eth0 10.1.0.1
000 interface eth0/eth0 10.1.0.2
000 interface eth0:1/eth0:1 91.xxx.xxx.xxx
000 interface eth0:2/eth0:2 91.xxx.xxx.xxx
000 interface eth0:3/eth0:3 91.xxx.xxx.xxx
000 %myid = 91.xxx.xxx.xxx
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000  
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1,36} trans={0,1,108} attrs={0,1,72} 
000  
000 "dgfip": 10.1.0.0/24===91.x.x.x...83.x.x.x===10.114.6.248/29; prospective erouted; eroute owner: #0
000 "dgfip":     srcip=10.1.0.1; dstip=10.114.6.249; srcup=ipsec _updown; dstup=ipsec _updown;
000 "dgfip":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "dgfip":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,29; interface: eth0; encap: esp;
000 "dgfip":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "dgfip":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1024(2), 3DES_CBC(5)_000-MD5(1)-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1536(5); flags=strict
000 "dgfip":   IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5)
000 "dgfip":   ESP algorithms wanted: AES(12)_000-SHA1(2), AES(12)_000-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "dgfip":   ESP algorithms loaded: AES(12)_000-SHA1(2), AES(12)_000-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000  
000 #1: "dgfip":500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s; lastdpd=-1s(seq in:0 out:0)
000 #1: pending Phase 2 for "dgfip" replacing #0



I don't really understand what means the "000" in 3DES_CBC(5)_000(2) and 
why it seams to be problematic with
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2).
I don't understand the last 2 lines which seems to be a problem.

I will appreciate your insight here.

Best regards

-- 
Emmanuel Trillaud
mel : etrillaud at ntsys.fr

More information about the Users mailing list