[Openswan Users] Yet Another EC2 Config Debug
james.nelson.ii at gmail.com
Fri Sep 9 12:49:04 EDT 2011
Hopefully this doesn't cause a new thread. If so, I apologize for spamming
the group. I found something that I'm not liking at the moment with a
simple ipsec whack --status. My questions are simply:
1) Are these algorithms compatible/consistent?
2) If not, what does my ike and phase2alg variables have to be set at?
000 "ec2check": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
000 "ec2check": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-5,
000 "ec2check": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "ec2check": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
On Thu, Sep 8, 2011 at 3:18 PM, James Nelson <james.nelson.ii at gmail.com>wrote:
> It seems as though things are getting close, but I'm stumped by this
> apparent disconnect between the .conf and .secrets files.
> First, the error messages when I try to start up the connection:
> Sep 8 19:51:18 pluto: "ec2check" #1: Can't authenticate: no
> preshared key found for `<EC2 ELASTIC IP>' and `<CLIENT GATEWAY>'.
> Attribute OAKLEY_AUTHENTICATION_METHOD
> Sep 8 19:51:18 pluto: "ec2check" #1: no acceptable Oakley Transform
> Sep 8 19:51:18 pluto: "ec2check" #1: sending notification
> NO_PROPOSAL_CHOSEN to <CLIENT GATEWAY>:500
> The necessary lines in the .conf:
> left=<EC2 LOCAL IP>
> leftid=<EC2 ELASTIC IP>
> right=<CLIENT GATEWAY>
> rightsubnet=<CLIENT ED>/24
> And the line in the .secrets:
> <EC2 ELASTIC IP> <CLIENT GATEWAY>: PSK "HeyLookImStillAKey"
> Anything wrong with these setups?
> On Thu, Sep 8, 2011 at 2:38 PM, Paul Wouters <paul at xelerance.com> wrote:
>> On Thu, 8 Sep 2011, James Nelson wrote:
>> I appreciate the assistance- removing the modp or commenting out the
>>> phase2alg variable did nothing, but deleting the piece after
>>> "3des-md5" in the ike variable caused it to work. Is this going to cause
>>> trouble later down the road?
>> No it probably won't.
>> Starting up the connection causes a hang, mainly from a "no preshared key
>>> found" error between the two ips that are located in
>>> the .secrets file. The error follows up with a "no acceptable Oakley
>>> Transform" and "no_proposal_chosen". Is it not reading the
>>> .secrets file correctly?
>> If you use leftid/rightid, those are the identifiers you need in
>> ipsec.secrets. If you
>> use IP addresses only, then those need to go in as identifiers. If you
>> change ipsec.secrets
>> then issue "ipsec secrets" or restart openswan.
>> btw. I'm changing th reply-to: to go back to the list, as public
>> discussions is how I distinguish
>> between free and paid support.
>>> On Thu, Sep 8, 2011 at 1:54 PM, Paul Wouters <paul at xelerance.com> wrote:
>>> On Thu, 8 Sep 2011, James Nelson wrote:
>>> That would be a clever start :) I'm getting a no conn found
>>> when I enter the auto --up command, which I
>>> have to imagine means
>>> there is something wrong with the conn code. Am I writing the
>>> ike and phase two variables correctly?
>>> There is the following
>>> error in my log:
>>> Sep 7 20:18:06 ipsec__plutorun: 034 esp string error: Non
>>> alphanum or valid separator found in auth
>>> string, \
>>> just after "3des-md5" (old_state=ST_AA)
>>> try leaving out the modp specifier for the phase2/esp setting.
>>> You can test if the connection loads with "ipsec auto --add connname"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users