[Openswan Users] Yet Another EC2 Config Debug

James Nelson james.nelson.ii at gmail.com
Thu Sep 8 16:18:16 EDT 2011 

It seems as though things are getting close, but I'm stumped by this
apparent disconnect between the .conf and .secrets files.

First, the error messages when I try to start up the connection:

Sep  8 19:51:18 pluto[3535]: "ec2check" #1: Can't authenticate: no preshared
key found for `<EC2 ELASTIC IP>' and `<CLIENT GATEWAY>'.
 Attribute OAKLEY_AUTHENTICATION_METHOD
Sep  8 19:51:18 pluto[3535]: "ec2check" #1: no acceptable Oakley Transform
Sep  8 19:51:18 pluto[3535]: "ec2check" #1: sending notification
NO_PROPOSAL_CHOSEN to <CLIENT GATEWAY>:500

The necessary lines in the .conf:

        left=<EC2 LOCAL IP>
        leftid=<EC2 ELASTIC IP>
        leftnexthop=%defaultroute
        leftsubnet=10.5.5.5/32
        leftsourceip=10.5.5.5
        right=<CLIENT GATEWAY>
        rightsubnet=<CLIENT ED>/24

And the line in the .secrets:
<EC2 ELASTIC IP> <CLIENT GATEWAY>: PSK "HeyLookImStillAKey"

Anything wrong with these setups?

-James


On Thu, Sep 8, 2011 at 2:38 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Thu, 8 Sep 2011, James Nelson wrote:
>
>  I appreciate the assistance- removing the modp or commenting out the
>> phase2alg variable did nothing, but deleting the piece after
>> "3des-md5" in the ike variable caused it to work.  Is this going to cause
>> trouble later down the road?
>>
>
> No it probably won't.
>
>
>  Starting up the connection causes a hang, mainly from a "no preshared key
>> found" error between the two ips that are located in
>> the .secrets file.  The error follows up with a "no acceptable Oakley
>> Transform" and "no_proposal_chosen".  Is it not reading the
>> .secrets file correctly?
>>
>
> If you use leftid/rightid, those are the identifiers you need in
> ipsec.secrets. If you
> use IP addresses only, then those need to go in as identifiers. If you
> change ipsec.secrets
> then issue "ipsec secrets" or restart openswan.
>
> btw. I'm changing th reply-to: to go back to the list, as public
> discussions is how I distinguish
> between free and paid support.
>
> Cheers,
>
> Paul
>
>
>  Cheers,
>> -James
>>
>> On Thu, Sep 8, 2011 at 1:54 PM, Paul Wouters <paul at xelerance.com> wrote:
>>      On Thu, 8 Sep 2011, James Nelson wrote:
>>
>>            That would be a clever start :)  I'm getting a no conn found
>> when I enter the auto --up command, which I
>>            have to imagine means
>>            there is something wrong with the conn code.  Am I writing the
>> ike and phase two variables correctly?
>>             There is the following
>>            error in my log:
>>            Sep  7 20:18:06 ipsec__plutorun: 034 esp string error: Non
>> alphanum or valid separator found in auth
>>            string, \
>>            just after "3des-md5" (old_state=ST_AA)
>>
>>
>> try leaving out the modp specifier for the phase2/esp setting.
>>
>> You can test if the connection loads with "ipsec auto --add connname"
>>
>> Paul
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110908/1916e561/attachment.html

More information about the Users mailing list