[Openswan Users] Site-to-site VPN with openswan

Roel van Meer roel.vanmeer at bokxing.nl
Wed Aug 29 03:13:05 EDT 2012 

Jakub Sobczak writes:

> I have never setup a live openSwan VPN tunnel, so please be understanding =)
> I received the following config details to establish connection to the other
> company's gateway:
> 
> Key Exchange Encryption:	AES256	Data integrity:	SHA1
> IKE SA renegotiation:	8 hrs			Aggresive mode:	No
> Use DH group:	1536 (group 5)
> Authentication:	PSK
> 
> IKE phase 2
> Data Encryption:	AES256	Data integrity:	SHA1
> IPSec SA renegotiation:	1 hr	Aggresive mode:	No
> Perfect forward secrecy:	Yes
> Use DH group (Perfect forward secrecy) :	1536 (group 5)
> 
> 
> This is my config from ipsec.conf (below). Apart from that, I also have
> ipsec.secret with the following content: left_IP(mine)
> right_IP(othercompany) "PSK"

Just to be sure, the format of this needs to be:
1.2.3.4 5.6.7.8: PSK "sharedkey"

> config setup
>         nat_traversal=yes
>         virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         oe=off
>         protostack=klips
> conn abc
>         #General
>         keyingtries=1
>         auto=add

If you specify "auto=add" the other end will have to initiate the 
connection. Can you post the logs that show what happens during this time?

>         #IKE Params
>         authby=secret
>         keyexchange=ike

This parameter does not occur in my manpage. Which version of openswan are 
you using?

>         ikelifetime=8h
>         ike=aes256-sha1-modp1536
>         #IPSec Params
>         type=tunnel
>         auth=esp
>         pfs=yes
>         compress=no
>         keylife=60m
>         esp=aes256-sha1
>         #pfsgroup=modp1536
>         # Left security gateway, subnet behind it, nexthop toward right.
>         left=my_IP
>         leftsubnet=192.168.5.1/32	
> 	  right=other_comp_IP
>      	  rightsubnet=some_subnet

As far as I can see, this is all correct.
A general remark: in my experience it is often easier to begin with less 
specific configuration, for example:
ike=aes
instead of
ike=aes256-sha1-modp1536

> The second phase does not seem to be established. What is wrong? I believe
> something with pfsgroup? How to properly set DH group?

Best regards,

Roel

More information about the Users mailing list