[Openswan Users] Openswan cannot make connection with DrayTek in Aggressive Mode (packet rejected: should have been encrypted)

Steve Leung kesteve at kesteve.com
Sun Sep 11 23:29:54 EDT 2011

Hi Nick,

> I use main mode with PFS rather than aggressive mode as it is more secure.

I thought that Main Mode (PSK) must use IP Address to identify the
peer, is there any way to use Main Mode (PSK) with a peer using
dynamic IP? I know that this works if I use cert... but I'd prefer to
use PSK in this setup.

> Openswan responds correctly if you do not specify ike and phase2alg so try leaving them out if you switch to main mode. If you use aggressive mode, don't you need to fully specify phase2alg?

I should have already fully specified phase2alg=3ds-md5 and with
pfs=no, since the DrayTek was set to disable PFS so I think it's ok to
not specifying a modp group.

> I use a rightid like you, but should not strings be preceded by an @?

Openswan support this U-FQDN format (both preceded by @ and something
like a at b) without problem.

> I do not use a leftid but you may need to because you have a NAT device. You may need to set the leftid to the WAN IP of the Openswan device.
> auto should be "add" as right = %any. Openswan cannot initiate to a dynamic IP.
> I think rekey should be no as only the initiating end should start rekeying.

Oh yes, rekey seems useless here, this is my mistake, I will correct that.

> Have you tried looking at the DrayTek logs (either with DrayTek's own tool or Wallwatcher)?

The logs from DrayTek are nearly useless :(  It just said that it's
initiating IPsec in Aggressive Mode and no valuable information

Best regards,

More information about the Users mailing list