[Openswan Users] Openswan cannot make connection with DrayTek in Aggressive Mode (packet rejected: should have been encrypted)

Nick Howitt n1ck.h0w1tt at gmail.com
Mon Sep 12 14:22:02 EDT 2011

On 12/09/2011 04:29, Steve Leung wrote:
> Hi Nick,
>> I use main mode with PFS rather than aggressive mode as it is more secure.
> I thought that Main Mode (PSK) must use IP Address to identify the
> peer, is there any way to use Main Mode (PSK) with a peer using
> dynamic IP? I know that this works if I use cert... but I'd prefer to
> use PSK in this setup.
I'm not sure I totally understand this. I use Main Mode with a PSK and a 
Draytek on a dynamic IP. If you are talking about the PSK in 
ipsec.secrets, you can use IP addresses, left/rightid or %any (or leave 
blank which is the same as %any). I use left/rightid. From what I have 
worked out there is no point in putting in a known value for left (IP 
address of leftid) then %any for your other field as %any will apply to 
both ends of the connection.
>> Openswan responds correctly if you do not specify ike and phase2alg so try leaving them out if you switch to main mode. If you use aggressive mode, don't you need to fully specify phase2alg?
> I should have already fully specified phase2alg=3ds-md5 and with
> pfs=no, since the DrayTek was set to disable PFS so I think it's ok to
> not specifying a modp group.
This becomes irrelevant if you switch can switch to main mode. I was 
just commenting on what the docs said.
>> I use a rightid like you, but should not strings be preceded by an @?
> Openswan support this U-FQDN format (both preceded by @ and something
> like a at b) without problem.
Again I was commenting on the docs. If it works (and in a router manual 
I've seen you can use an e-mail address, so with @ in the middle), it works.
>> I do not use a leftid but you may need to because you have a NAT device. You may need to set the leftid to the WAN IP of the Openswan device.
>> auto should be "add" as right = %any. Openswan cannot initiate to a dynamic IP.
>> I think rekey should be no as only the initiating end should start rekeying.
> Oh yes, rekey seems useless here, this is my mistake, I will correct that.
... and "auto = add"
>> Have you tried looking at the DrayTek logs (either with DrayTek's own tool or Wallwatcher)?
> The logs from DrayTek are nearly useless :(  It just said that it's
> initiating IPsec in Aggressive Mode and no valuable information
> inside.
I have not looked at the logs in years and I don't have a copy of 
Wallwatcher any more, but I think Wallwatcher was a bit more informative 
(though that does not make sense as both logging programs are trapping 
the same messages)
> Best regards,
> Steve

More information about the Users mailing list