[Openswan Users] Ipsec configuration Lucent VPN Gateway with OpenSwan or others (Lucent IPSec Client 9.2.0 in Windows XP)

Oscar Barrios srbarrios at gmail.com
Fri Feb 19 17:17:01 EST 2010 

Hello,
I want to connect my laptop (using Ubuntu) to VPN of the enterprise.
But I don't know how I must configure ipsec.conf.

In this moment I have this config but don't work:
--------------------------------------------------------------
conn Intranet
        ike=aes256-sha1-modp1024
        phase2alg=aes256-sha1
        aggrmode=no
        keyexchange=ike
        ikelifetime=24h
        auth=esp
        type=tunnel
        authby=secret
        left=192.168.2.100
        leftmodecfgclient=yes
        leftxauthclient=yes
        leftid="obarrios"
        right=62.xx.xx.xx
        rightmodecfgserver=yes
        rightxauthserver=yes
        modecfgpull=yes
        pfs=yes
        compress=yes
        auto=add
------------------------------------------------------

oscar at ob22:~$ sudo ipsec auto --status
(...)
000 "Intranet":
192.168.2.100<192.168.2.100>[62.210.183.9,+MC+XC+S=C]...62.14.231.67<62.14.231.67>[MS+XS+S=C];
unrouted; eroute owner: #0
000 "Intranet":     myip=unset; hisip=unset;
000 "Intranet":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "Intranet":   policy:
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+MODECFGPULL+IKEv2ALLOW; prio:
32,32; interface: wlan0;
000 "Intranet":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Intranet":   IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)-MODP1536(5); flags=-strict
000 "Intranet":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-5,
000 "Intranet":   ESP algorithms wanted: AES(12)_256-SHA1(2); flags=-strict
000 "Intranet":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
<----------- This is the problem?
000
000 #2: "Intranet":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "Intranet" replacing #0
---------------------------------------------------------------------------------------------------------------------------------------------

In the Windows client you can only configure:

Primary Tunnel End Point, User Identity,Password,Group Key

Specifications of client:
--------------------------------
http://enterprise.alcatel-lucent.com/?product=IPSecClient&page=technical
Supported Standards

    * IPSec Encapsulating Security Payload (ESP) with DES, Triple-DES,
and AES-128, AES-192, and AES-256
    * IPSec Authentication Header (AH) with HMAC-MD5 and HMAC SHA-1
authentication
    * Diffie-Hellman Group 1, 2, 5, 14, and 15
    * IPComp (LZS compression)
    * X.509
    * PKCS #12

User Authentication

    * Local passwords, RADIUS, SecurID, X.509 digital certificates
with PKI PKCS #12 and PFX standard
    * CAPI Store Integration
    * Automatic LDAP certificate retrieval

RADIUS Parameter Download
User-specific parameters configurable in administrator's RADIUS
database applicable to IPSec Client user tunnels:

    * Local Presence address
    * Primary/Secondary DNS
    * Primary/Secondary WINS
    * Login Timeout
    * Idle Timeout
    * User Group

Notifications

    * Delivers administrator-specified message when tunnel
established, must be acknowledged to continue

Software Upgrade Management

    * Notifies when Client upgrade is available, single click upgrades
IPSec Client software with newer version

Logging

    * Maintains local logs of connection attempts, including detailed
IKE and IPSec negotiation

Tray Icon

    * Indicates tunnel activity, firewall setting in effect and
provides continuous traffic statistics

DNS/WINS

    * Automatically configures local primary and secondary DNS (Domain
Name Server) and WINS (Windows Information Name Server) addresses


That's appear when I'm connected in Windows:
-------------------------------------------------------------------------------------------------------------------------------------
02/05/10  10:33:58  IKE/IKE Started Enable Secure Access to TEP: Oesia
(62.xx.xx.xx) for user obarrios



10:33:59  IKE/IKE Source IP Address, Port for IKE : 192.168.2.100, 1624



10:33:59  IKE/IKE Contacted VPN gateway (62.xx.xx.xx)



10:33:59  IKE/IKE User Authentication Successful.



10:34:00  IKE/IKE Tunnel Parameters received from gateway are:



	 Encryption : AES256 CBC  Authentication : SHA1



	 Tunnel transport method:  Standard



	 Authentication Timeout: 60 Minutes



	 Heartbeat Interval: 300 Seconds



	 Internal IP for local presence :192.168.1.37



	 Pri. DNS  :10.95.0.4  Sec. DNS  :0.0.0.0



	 Pri. WINS :0.0.0.0  Sec. WINS :0.0.0.0



	 HostList: 192.168.1.0-192.168.1.255,10.95.0.0-10.95.255.255,10.237.17.0-10.237.17.255,192.168.1.37,



	 Tunnel administrator allows you to save password



	 Orig Pri. WINS :  Orig Sec. WINS :



	 Firewall Policy: Allow All Traffic



02/05/10  10:34:00  IKE/IKE IPSec SA SPIs:  Inbound: 0x 7646,
Outbound: 0x 38101010



02/05/10  10:34:00  IKE/IKE Successfully established VPN Tunnel to TEP
62.xx.xx.xx for User obarrios

-----------------------------------------------------------------------------------------------------------------------------------------

Any idea of a configuration, solution, to connect to VPN?
Help please!

More information about the Users mailing list