[Openswan Users] Openswan and V-IPSecure

JT Edwards tstrike34 at gmail.com
Wed Sep 2 07:45:16 EDT 2009


Been up all night and discovered that V-IPSecure uses Racoon as part of its embedded VPN solution. Now that I understand that it makes things pretty clear.... 

I did some research Paul and discovered that you commented about this very subject this time last year (July 08) to be exact. What is the exact syntax for the use of AH in the ipsec.conf file? I looked at the ipsec.conf man page which reads:

phase2 
Sets the type of SA that will be produced. Valid options are: esp for encryption (the default), and ah for authentication only. 
phase2alg 
Specifies the algorithms that will be offered/accepted for a phase2 negotiation. If not specified, a secure set of defaults will be used. 
The format for ESP is ENC-AUTH followed by an optional PFSgroup. For instance, "3des-md5" or "aes256-sha1-modp2048". 

The format for AH is AUTH followed by an optional PFSgroup. For instance, "md5" or "sha1-modp1536". 

I am confused on which option to use for openswan. Could you point me in the right direction?



Thanks in advance.

JT



From: JT Edwards 
Sent: Wednesday, September 02, 2009 2:09 AM
To: users at openswan.org 
Subject: Openswan and V-IPSecure


To all:

I have researched all the material that in the archives.

I configured V-IPSecure for Ike VPN with certificates. After following the instructions for generating certificates (to include a key) I attempted to start connection to a Openswan VPN gateway. We reach the 2nd stage of the Ike negotiations when I get these messages:

ep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45.6 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: ignoring Vendor ID payload [KAME/racoon]
Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 1 17:58:13 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: Main mode peer ID is ID_IPV4_ADDR: '22.45.'
Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: no suitable connection for peer '22.45.'
Sep 1 17:58:14 wizbang8 pluto[31132]: "ait-to-home"[1] 22.45. #1: sending encrypted notification INVALID_ID_INFORMATION to 22.45. :500

On the router here is what the VPN log reads (wished it was more verbose)

2009 Sep 1 18:47:31 [SRXN3205] [IKE] Ignore information because ISAKMP-SA has not been established yet._
2009 Sep 1 18:47:40 [SRXN3205] [IKE] The packet is retransmitted by 16.16.[500]._
2009 Sep 1 18:47:40 [SRXN3205] [IKE] Ignore information because ISAKMP-SA has not been established yet._
- Last output repeated twice -
2009 Sep 1 18:47:46 [SRXN3205] [IKE] an undead schedule has been deleted: 'isakmp_chkph1there'._
2009 Sep 1 18:47:46 [SRXN3205] [IKE] IPSec configuration with identifer "ait_torden" deleted sucessfully_
2009 Sep 1 18:47:46 [SRXN3205] [IKE] no phase2 bounded._
2009 Sep 1 18:47:46 [SRXN3205] [IKE] Purged ISAKMP-SA with spi=f3a834564cf15bf4:a5645e2c7414e4fd._
2009 Sep 1 18:47:46 [SRXN3205] [IKE] an undead schedule has been deleted: 'purge_remote'._
2009 Sep 1 18:47:46 [SRXN3205] [IKE] an undead schedule has been deleted: 'isakmp_ph1resend'._
2009 Sep 1 18:47:46 [SRXN3205] [IKE] IKE configuration with identifier "wizbang8" deleted sucessfully_
2009 Sep 1 18:48:00 [SRXN3205] [IKE] The packet is retransmitted by 209.198.[500]._

I followed the certs instructions to a T.... Where am I going wrong? Is there some way I can see what is being transmitted to the Openswan server and what it is sending back?
Here is what I am trying to do... I am trying to get my SRXN3207 to connect to a Openswan VPN server using certificates.... The vender ID of the Ike negotiations identify V-IPSecure as a vendor racoon.

I guess I could look up racoon to openswan VPN gateway to gateway connections.

PSK is rather insecure and at times doesnt work.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090902/1961fe95/attachment-0001.html 


More information about the Users mailing list