[Openswan Users] esp string error: enc_alg not found

Steve Zeng SteveZ at airg.com
Tue May 18 12:42:49 EDT 2010 

Unfortunetely there is nothing I can configure on amazon side. All I got is the following instruction. So I think there maybe something missing on my side. Because I did not figured out the tunnel interface part yet. i.e. there is no tunnel interface up. or maybe I am in a dead corner?

IPSec Tunnel #1
================================================================================

#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : jjwzQIHrPjr.ec31DU_ZGvucsE5lVikIZDZcqAkm
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1396 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the VPN Gateway.

Additionally, the VPN Gateway and Customer Gateway establish the BGP
peering from your tunnel interface.

The Customer Gateway and VPN Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.

The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel
interface.

Outside IP Addresses:
  - Customer Gateway:        : 209.190.164.199
  - VPN Gateway              : 72.21.109.125

Inside IP Addresses
  - Customer Gateway         : 169.254.255.2/30
  - VPN Gateway              : 169.254.255.1/30



-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: May 17, 2010 6:40 PM
To: Steve Zeng
Cc: users at openswan.org
Subject: RE: [Openswan Users] esp string error: enc_alg not found

On Mon, 17 May 2010, Steve Zeng wrote:

> Looks like it.
>
> When I run "ipsec barf" and I got:
>
> May 18 00:12:31 fw1 pluto[8441]: "ec2-tunnel-01" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message

Thats from your older log entry, not the later one.

> from tcpdump, I got:
> 00:31:51.202107 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 ? ident[E]
> 00:32:31.555349 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 I ident
> 00:32:32.046162 IP 72.21.109.125.isakmp > 209.190.164.199.isakmp: isakmp: phase 1 R ident
> 00:32:32.154102 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 I ident
> 00:32:32.253277 IP 72.21.109.125.isakmp > 209.190.164.199.isakmp: isakmp: phase 1 R ident
> 00:32:32.365140 IP 209.190.164.199.isakmp > 72.21.109.125.isakmp: isakmp: phase 1 I ident[E]
> 00:32:32.471635 IP 72.21.209.225.isakmp > 209.190.164.199.isakmp: isakmp: phase 2/others R inf

That's all encrypted and we cannot see anything from it.

> It seems the amazon ask for something but openswan could not understand and so the handshake stopped. I don't see anywhere of ipsec.conf that I can put phase2 configurations. Do I need the tunnel interfaces to be configured manually on openswan side for this to work?

If this is with the amazon cloud, then there is NAT involved and you have to configure that,
and initiate from the cloud to your end, not the other way around.

Paul

More information about the Users mailing list