[Openswan Users] Ipsec Server Configuration

Paul Wouters paul at xelerance.com
Fri Oct 30 23:43:29 EDT 2009 

On Fri, 30 Oct 2009, Walter Hansen wrote:

> Once again we seem to be having troubles getting a secure tunnel going
> between a Linux server and a Cisco 3000 router.
> New Server: Fedora Core 8 Openswan 2.4.9-2.fc8

That's not "new". That's very old. Don't expect it to work with modern
client operating systems.

> 117 "prod-sms" #111: STATE_QUICK_I1: initiate
> 010 "prod-sms" #111: STATE_QUICK_I1: retransmission; will wait 20s for
> response
> 010 "prod-sms" #111: STATE_QUICK_I1: retransmission; will wait 40s for

The other end rejected you. Check its logs.

> Yes we will drop connections that do not match the security associations as
> we see in our logs. Not sure which SA but please review your
> configs/encryption properties and make sure they match the document I sent
> you. You said you copied configs from one server to another; I usually build
> each tunnel individually, could this be the problem?

The defaults might have changed. openswan 2.2 might have used 3des-md5 or
modp1024 where openswan 2.4.x might have used aes-sha1 or modp1536. Check
that document.

> 15302 10/27/2009 23:06:00.190 SEV=8 IKEDBG/96 RPT=10363 208.109.86.109
> Received encrypted packet with no matching SA, dropping

That's odd. I am not sure why you are seeing that. Are there more tunnels to
the same end?

> # basic configuration
> config setup
>        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>        # klipsdebug=none
>        # plutodebug="control parsing"

No nat configured here, so if you are behind nat, it wont work.

> conn prod-sms
>        left=208.109.86.109
>        leftsubnet=208.109.86.0/24
>        leftnexthop=208.109.86.254
>        right=216.160.25.121
>        rightid=216.160.25.121
>        rightsubnet=206.220.212.0/24

Which i think there is or else you cannot be the ipsec endpoint for
the subnet you are trying to protect.

>        xauth=no
>        type=tunnel
>        keyexchange=ike
>        ike=3des-md5-modp1024

perhaps try adding esp=3des-md5 too?

Paul

More information about the Users mailing list