[Openswan Users] Can't initiate "phase 2"

Tuomo Soini tis at foobar.fi
Thu Apr 26 14:24:14 EDT 2012 

On Tue, 24 Apr 2012 21:42:47 -0500
Wilfredo Pachón <wilfredcom at gmail.com> wrote:

> Hello friends of the list, thanks for the great job
> 
> I'm new to openswan but the last week i need to create a VPN with
> other office in the server i admin this is the problem if any one can
> help me in any form:
> 
> I am trying to setup a VPN with Openswan and a CISCO ASA 5540 router,
> i readed many documentation and for me based on this all is fine, but
> this doesn't work.
> 
> First of all this are the config setup in the router:
> 
> Phase 1:
> Auth Method: Preshared Key
> Encryption Scheme: IKE
> D-H G: Group 2 (1024 bit)
> Encryption Algorithm: 3DES
> Integrity Algorithm: SHA1
> Aggressive Mode: No
> Renegotiation time: 24h
> 
> Phase 2:
> Encapsulating: ESP
> Encryption Algorithm: 3DES
> Integrity Algorithm: SHA1
> Perfect Forward  Secrecy: No
> 
> My ipsec.conf based in this config are:
> 
> config setup
>     plutodebug=none
>     klipsdebug=none
>     nat_traversal=no
>     #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>     #interfaces=eth0
>     oe = off
>     protostack=netkey
>     nhelpers = 0
> 
> conn net-super
>     type=tunnel
>     authby=secret                # Key exchange method
>     left=190.147.229.2          # Public Internet IP address of the
>     leftsubnet=192.168.100.0/24     # Subnet protected by the LEFT
> VPN device leftnexthop=%defaultroute    # correct in many situations
>     right=190.26.216.13         # Public Internet IP address of
>     rightsubnet=192.168.20.0/24      # Subnet protected by the RIGHT
> VPN device rightnexthop=%defaultroute   # correct in many situations
>     auto=start                   # authorizes and starts this
> connection aggrmode=no
>     rekey=yes
>     keyingtries=2
>     keyexchange=ike
>     ike=3DES-SHA1-modp1024

openswan wants these in lower case and you should add ! at the end for
strictness..

	ike=3des-sha1-modp1024!

>     ikelifetime=24h
>     phase2=esp
>     phase2alg=3DES-SHA1

so this is:

	phase2alg=3des-sha1

>     keylife=3600s
>     pfs=no
> 
> My ipsecsecrets file have:
> 190.147.229.2 190.26.216.13 : PSK "SECRET"

I'd guess this SECRET has a typo... and don't enable debug logging - it
doesn't help to find configuration issues.

Successful phase1 negotiation you can find from the log as "ISAKMP SA"

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Users mailing list