[Openswan Users] Yet Another EC2 Config Debug
james.nelson.ii at gmail.com
Thu Sep 8 16:18:16 EDT 2011
It seems as though things are getting close, but I'm stumped by this
apparent disconnect between the .conf and .secrets files.
First, the error messages when I try to start up the connection:
Sep 8 19:51:18 pluto: "ec2check" #1: Can't authenticate: no preshared
key found for `<EC2 ELASTIC IP>' and `<CLIENT GATEWAY>'.
Sep 8 19:51:18 pluto: "ec2check" #1: no acceptable Oakley Transform
Sep 8 19:51:18 pluto: "ec2check" #1: sending notification
NO_PROPOSAL_CHOSEN to <CLIENT GATEWAY>:500
The necessary lines in the .conf:
left=<EC2 LOCAL IP>
leftid=<EC2 ELASTIC IP>
And the line in the .secrets:
<EC2 ELASTIC IP> <CLIENT GATEWAY>: PSK "HeyLookImStillAKey"
Anything wrong with these setups?
On Thu, Sep 8, 2011 at 2:38 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 8 Sep 2011, James Nelson wrote:
> I appreciate the assistance- removing the modp or commenting out the
>> phase2alg variable did nothing, but deleting the piece after
>> "3des-md5" in the ike variable caused it to work. Is this going to cause
>> trouble later down the road?
> No it probably won't.
> Starting up the connection causes a hang, mainly from a "no preshared key
>> found" error between the two ips that are located in
>> the .secrets file. The error follows up with a "no acceptable Oakley
>> Transform" and "no_proposal_chosen". Is it not reading the
>> .secrets file correctly?
> If you use leftid/rightid, those are the identifiers you need in
> ipsec.secrets. If you
> use IP addresses only, then those need to go in as identifiers. If you
> change ipsec.secrets
> then issue "ipsec secrets" or restart openswan.
> btw. I'm changing th reply-to: to go back to the list, as public
> discussions is how I distinguish
> between free and paid support.
>> On Thu, Sep 8, 2011 at 1:54 PM, Paul Wouters <paul at xelerance.com> wrote:
>> On Thu, 8 Sep 2011, James Nelson wrote:
>> That would be a clever start :) I'm getting a no conn found
>> when I enter the auto --up command, which I
>> have to imagine means
>> there is something wrong with the conn code. Am I writing the
>> ike and phase two variables correctly?
>> There is the following
>> error in my log:
>> Sep 7 20:18:06 ipsec__plutorun: 034 esp string error: Non
>> alphanum or valid separator found in auth
>> string, \
>> just after "3des-md5" (old_state=ST_AA)
>> try leaving out the modp specifier for the phase2/esp setting.
>> You can test if the connection loads with "ipsec auto --add connname"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users