[Openswan Users] IKE / ESP options

Danilo Godec danilo.godec at agenda.si
Fri Apr 30 03:17:43 EDT 2010 

On 29. 04. 2010 20:58, Paul Wouters wrote:
> On Thu, 29 Apr 2010, Danilo Godec wrote:
>
>> I'm having trouble with some IKE / ESP options. We need to create an
>> IPSEC VPN and we're supposed to set it up like this:
>
> You have algos you need. You will have to show us more of your problem
>
> Paul

Well, this is what I get in logs without 'debug':

> Apr 30 09:14:22 fw pluto[15466]: packet from 213.229.192.76:500:
> received Vendor ID payload [Dead Peer Detection]
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: responding to Main
> Mode
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: transition from
> state (null) to state STATE_MAIN_R1
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: transition from
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: ignoring
> informational payload, type IPSEC_INITIAL_CONTACT
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: Main mode peer ID
> is ID_IPV4_ADDR: '213.229.192.76'
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: transition from
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #4: sent MR3, ISAKMP
> SA established
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #5: no acceptable
> Proposal in IPsec SA
> Apr 30 09:14:22 fw pluto[15466]: "mytunnel-net" #5: sending encrypted
> notification NO_PROPOSAL_CHOSEN to 213.229.192.76:500


Unfortunately I have other active tunnels and if I set 'klipsdebug' or
'plutodebug' to 'all' I get flooded with messages. Is there a way to
enable debugging just for one of the tunnels?

  Danilo



>
>>>
>>> ************************************************
>>> Authentication algorithm: HMAC-SHA1-96
>>> Encryption: AES_CBC 256-bit
>>> PFS: DH-Group2
>>> Lifetime: 22800 sec
>>>
>>>    IKE:
>>>
>>> Authentication algorithm: SHA 256-bit
>>> Encryption: AES-CBC 256-bit
>>> Diffie-Hellman Group: Group 2
>>> IKE Lifetyme: 86400 sec
>>> ************************************************
>>
>> The 'ispec auto --status' says this:
>>
>>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64,
>>> keysizemin=168, keysizemax=168
>>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>>> keysizemin=128, keysizemax=128
>>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>>> keysizemin=160, keysizemax=160
>>> 000
>>> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289,
>>> blocksize=16, keydeflen=128
>>> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
>>> blocksize=16, keydeflen=128
>>> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
>>> blocksize=16, keydeflen=128
>>> 000 algorithm IKE encrypt: id=6, name=OAKLEY_CAST_CBC, blocksize=8,
>>> keydeflen=128
>>> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
>>> blocksize=8, keydeflen=128
>>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>>> keydeflen=128
>>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>>> keydeflen=192
>>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
>>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>>> 000 algorithm IKE dh group: id=1, name=OAKLEY_GROUP_MODP768, bits=768
>>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
>>> bits=2048
>>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
>>> bits=3072
>>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
>>> bits=4096
>>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
>>> bits=6144
>>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
>>> bits=8192
>>
>> I tried to set 'ike', 'esp' and 'pfsgroup' parameters, but had no
>> success:
>>
>>        ike=aes256
>>        esp=aes256-sha1
>>        pfsgroup=modp1024
>>        ikelifetime=86400s
>>        keylife=28800s
>>
>>
>> After adding the connection, the 'ipsec auto --status' says:
>>
>>> 000 "mytunnel-net":   newest ISAKMP SA: #2843; newest IPsec SA: #0;
>>> eroute owner: #0
>>> 000 "mytunnel-net":   IKE algorithms wanted: 7_256-1-5, 7_256-2-5,
>>> 7_256-1-2, 7_256-2-2, 7_256-1-1, 7_256-2-1, flags=-strict
>>> 000 "mytunnel-net":   IKE algorithms found:  7_256-1_128-5,
>>> 7_256-2_160-5, 7_256-1_128-2, 7_256-2_160-2, 7_256-1_128-1,
>>> 7_256-2_160-1,
>>> 000 "mytunnel-net":   IKE algorithm newest:
>>> AES_CBC_256-SHA2_256-MODP1024
>>> 000 "mytunnel-net":   ESP algorithms wanted: 12_256-2, ; pfsgroup=2;
>>> flags=-strict
>>> 000 "mytunnel-net":   ESP algorithms loaded: 12_256-2, ; pfsgroup=2;
>>> flags=-strict
>>
>>
>> What options should I use to fullfill the above requirements? Does my
>> OpenSwan support those algorithms at all?
>>
>> Best regards, Danilo
>>
>>


-- 
Danilo Godec, sistemska podpora / system administration

Predlog! Obiscite prenovljeno spletno stran www.agenda.si 

ODPRTA KODA IN LINUX 
STORITVE : POSLOVNE RESITVE : UPRAVLJANJE IT : INFRASTRUKTURA IT : IZOBRAZEVANJE : PROGRAMSKA OPREMA 

Visit our updated web page at www.agenda.si 

OPEN SOURCE AND LINUX 
SERVICES : BUSINESS SOLUTIONS : IT MANAGEMENT : IT INFRASTRUCTURE : TRAINING : SOFTWARE 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: danilo_godec.vcf
Type: text/x-vcard
Size: 206 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20100430/f2c8c741/attachment.vcf

More information about the Users mailing list