[Openswan Users] Interoperability between openswan and HPUX-IPSEC.

Chakravarthy, Chintagunta Murali Mohan (HPUX-Network Security) murali-mohan.chakravarthy at hp.com
Tue Aug 23 09:49:26 EDT 2011


I'm a newbie to Openswan, I'm trying see if Openswan and HPUX can interoperate with each other.

Though I'm successful until some extent but not completely.

Here is the issue I'm facing.

I'm able to form a IKEV1 SA successfully but not able to form a IPSEC SA. The IPSEC SA is formed in larval state but doesn't  get established.

The intension is to secure telnet between the two machines.

Can someone help?? If you need more information I would be happy to provide.

Here is the info.

[root at rtrbl2 ~]# setkey -D
        esp mode=transport spi=2787419998(0xa624a75e) reqid=16389(0x00004005)
        seq=0x00000000 replay=0 flags=0x00000000 state=larval
        created: Aug 23 18:47:47 2011   current: Aug 23 18:48:16 2011
        diff: 29(s)     hard: 30(s)     soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=5961 refcnt=0

Here is my /etc/ipsec.conf file

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        # NAT-TRAVERSAL support, see README.NAT-Traversal
#       nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using %v4:25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
#       virtual_private=%v4:,%v4:,%v4:,%v4:25/8
        # OE is now off by default. Uncomment and change to on, to enable.
        # which IPsec stack to use. auto will try netkey, then klips then mast
#       protostack=auto

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=
#               leftsubnet=
#               leftnexthop=
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=
#               rightsubnet=
#               rightnexthop=
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add

conn hpux
#        ikev2=insist
#       ike=aes128-sha1;dh24

Following is my configuration on HPUX

ms10# ipsec_config show all
           -autoboot  OFF
           -auditlvl  ERROR
           -auditdir  /var/adm/ipsec
            -maxsize  100
            -spi_min  0x12c
            -spi_max  0x2625a0
           -spd_soft  25
           -spd_hard  50
 -icmp_error_process  OFF

                auth  RHEL
           -exchange  MM
           -priority  30
              -rtype  IPV4
                -kmp  ikev1
       -local_method  PSK
      -remote_method  PSK
          -preshared  ipsec1234

               ikev1  default
              -group  2
               -hash  MD5
         -encryption  3DES
               -life  28800
                -pfs  OFF

               ikev2  default
              -group  2
               -hash  HMAC-SHA1
         -encryption  3DES
                -prf  HMAC-SHA1
               -life  28800
                -pfs  OFF

                host  TO_RHEL
             -source  /32/0-65535
           -protocol  6
           -priority  40
             -action  ESP_3DES_HMAC_SHA1/28800/0
              -flags  NONE

                host  FROM_RHEL
             -source  /32/23
           -protocol  6
           -priority  50
             -action  ESP_3DES_HMAC_SHA1/28800/0
              -flags  NONE

                host  default
             -action  PASS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110823/e456a403/attachment.html 

More information about the Users mailing list