[Openswan Users] Interoperability between openswan and HPUX-IPSEC.
Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security)
murali-mohan.chakravarthy at hp.com
Tue Aug 23 09:49:26 EDT 2011
I'm a newbie to Openswan, I'm trying see if Openswan and HPUX can interoperate with each other.
Though I'm successful until some extent but not completely.
Here is the issue I'm facing.
I'm able to form a IKEV1 SA successfully but not able to form a IPSEC SA. The IPSEC SA is formed in larval state but doesn't get established.
The intension is to secure telnet between the two machines.
Can someone help?? If you need more information I would be happy to provide.
Here is the info.
[root at rtrbl2 ~]# setkey -D
esp mode=transport spi=2787419998(0xa624a75e) reqid=16389(0x00004005)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Aug 23 18:47:47 2011 current: Aug 23 18:48:16 2011
diff: 29(s) hard: 30(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=5961 refcnt=0
Here is my /etc/ipsec.conf file
# /etc/ipsec.conf - Openswan IPsec configuration file
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
# Do not set debug options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
# plutodebug="control parsing"
# Again: only enable plutodebug or klipsdebug when asked by a developer
# enable to get logs per-peer
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: incorrect SElinux policies might prevent pluto writing the core
# NAT-TRAVERSAL support, see README.NAT-Traversal
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using %v4:25/8 as "private" address space on their 3G network.
# This range has not been announced via BGP (at least upto 2010-12-21)
# OE is now off by default. Uncomment and change to on, to enable.
# which IPsec stack to use. auto will try netkey, then klips then mast
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
# # Left security gateway, subnet behind it, nexthop toward right.
# # Right security gateway, subnet behind it, nexthop toward left.
# # To authorize this connection, but not actually start it,
# # at startup, uncomment this.
Following is my configuration on HPUX
ms10# ipsec_config show all
-source 192.168.0.197 /32/0-65535
-source 192.168.0.197 /32/23
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users