[Openswan Users] Yet Another EC2 Config Debug
James Nelson
james.nelson.ii at gmail.com
Fri Sep 9 12:49:04 EDT 2011
Hopefully this doesn't cause a new thread. If so, I apologize for spamming
the group. I found something that I'm not liking at the moment with a
simple ipsec whack --status. My questions are simply:
1) Are these algorithms compatible/consistent?
2) If not, what does my ike and phase2alg variables have to be set at?
000 "ec2check": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5),
3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=-strict
000 "ec2check": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-5,
3DES_CBC(5)_192-MD5(1)_128-2,
000 "ec2check": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict
000 "ec2check": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
conn ec2check
connaddrfamily=ipv4
type=tunnel
authby=secret
ike=3des-md5
Ikelifetime=86400s
phase2=esp
phase2alg=3des-md5
lifetime=28800s
forceencaps=yes
-James
On Thu, Sep 8, 2011 at 3:18 PM, James Nelson <james.nelson.ii at gmail.com>wrote:
> It seems as though things are getting close, but I'm stumped by this
> apparent disconnect between the .conf and .secrets files.
>
> First, the error messages when I try to start up the connection:
>
> Sep 8 19:51:18 pluto[3535]: "ec2check" #1: Can't authenticate: no
> preshared key found for `<EC2 ELASTIC IP>' and `<CLIENT GATEWAY>'.
> Attribute OAKLEY_AUTHENTICATION_METHOD
> Sep 8 19:51:18 pluto[3535]: "ec2check" #1: no acceptable Oakley Transform
> Sep 8 19:51:18 pluto[3535]: "ec2check" #1: sending notification
> NO_PROPOSAL_CHOSEN to <CLIENT GATEWAY>:500
>
> The necessary lines in the .conf:
>
> left=<EC2 LOCAL IP>
> leftid=<EC2 ELASTIC IP>
> leftnexthop=%defaultroute
> leftsubnet=10.5.5.5/32
> leftsourceip=10.5.5.5
> right=<CLIENT GATEWAY>
> rightsubnet=<CLIENT ED>/24
>
> And the line in the .secrets:
> <EC2 ELASTIC IP> <CLIENT GATEWAY>: PSK "HeyLookImStillAKey"
>
> Anything wrong with these setups?
>
> -James
>
>
> On Thu, Sep 8, 2011 at 2:38 PM, Paul Wouters <paul at xelerance.com> wrote:
>
>> On Thu, 8 Sep 2011, James Nelson wrote:
>>
>> I appreciate the assistance- removing the modp or commenting out the
>>> phase2alg variable did nothing, but deleting the piece after
>>> "3des-md5" in the ike variable caused it to work. Is this going to cause
>>> trouble later down the road?
>>>
>>
>> No it probably won't.
>>
>>
>> Starting up the connection causes a hang, mainly from a "no preshared key
>>> found" error between the two ips that are located in
>>> the .secrets file. The error follows up with a "no acceptable Oakley
>>> Transform" and "no_proposal_chosen". Is it not reading the
>>> .secrets file correctly?
>>>
>>
>> If you use leftid/rightid, those are the identifiers you need in
>> ipsec.secrets. If you
>> use IP addresses only, then those need to go in as identifiers. If you
>> change ipsec.secrets
>> then issue "ipsec secrets" or restart openswan.
>>
>> btw. I'm changing th reply-to: to go back to the list, as public
>> discussions is how I distinguish
>> between free and paid support.
>>
>> Cheers,
>>
>> Paul
>>
>>
>> Cheers,
>>> -James
>>>
>>> On Thu, Sep 8, 2011 at 1:54 PM, Paul Wouters <paul at xelerance.com> wrote:
>>> On Thu, 8 Sep 2011, James Nelson wrote:
>>>
>>> That would be a clever start :) I'm getting a no conn found
>>> when I enter the auto --up command, which I
>>> have to imagine means
>>> there is something wrong with the conn code. Am I writing the
>>> ike and phase two variables correctly?
>>> There is the following
>>> error in my log:
>>> Sep 7 20:18:06 ipsec__plutorun: 034 esp string error: Non
>>> alphanum or valid separator found in auth
>>> string, \
>>> just after "3des-md5" (old_state=ST_AA)
>>>
>>>
>>> try leaving out the modp specifier for the phase2/esp setting.
>>>
>>> You can test if the connection loads with "ipsec auto --add connname"
>>>
>>> Paul
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110909/3d6776f0/attachment.html
More information about the Users
mailing list