[Openswan Users] Site-to-site VPN with openswan

Jakub Sobczak sopel1000 at gmail.com
Wed Aug 29 04:08:17 EDT 2012 

Hi

Yes, the shared key line is formatted in the following way:  1.2.3.4 5.6.7.8:
PSK "sharedkey" .

I changed auto=add to auto=start hoping it would help, but it didn't:

ipsec auto --up conn
> 104 "conn" #1616: STATE_MAIN_I1: initiate
> 010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "conn" #1616: max number of retransmissions (2) reached STATE_MAIN_I1.
>  No response (or no acceptable response) to our first IKE message


I'm not sure if that's correct: ike=aes256-sha1-modp1536, but if they say: Key
Exchange Encryption: AES256  Data integrity: SHA1 and DH group 5, do you
think this line is not correct (ike=aes256-sha1-modp1536)? I cannot
influence that, I have to adjust...

I am using: Linux Openswan U2.6.23/K2.6.32-31-server (netkey) Maybe the
problem is that I am not using certificates but psk? How do I check if I
can use klips (which I believe I should use instead of netkey).


Kind regards,
Jakub



2012/8/29 Roel van Meer <roel.vanmeer at bokxing.nl>

> Jakub Sobczak writes:
>
>  I have never setup a live openSwan VPN tunnel, so please be understanding
>> =)
>> I received the following config details to establish connection to the
>> other
>> company's gateway:
>>
>> Key Exchange Encryption:        AES256  Data integrity: SHA1
>> IKE SA renegotiation:   8 hrs                   Aggresive mode: No
>> Use DH group:   1536 (group 5)
>> Authentication: PSK
>>
>> IKE phase 2
>> Data Encryption:        AES256  Data integrity: SHA1
>> IPSec SA renegotiation: 1 hr    Aggresive mode: No
>> Perfect forward secrecy:        Yes
>> Use DH group (Perfect forward secrecy) :        1536 (group 5)
>>
>>
>> This is my config from ipsec.conf (below). Apart from that, I also have
>> ipsec.secret with the following content: left_IP(mine)
>> right_IP(othercompany) "PSK"
>>
>
> Just to be sure, the format of this needs to be:
> 1.2.3.4 5.6.7.8: PSK "sharedkey"
>
>
>  config setup
>>         nat_traversal=yes
>>         virtual_private=%v4:10.0.0.0/**8,%v4:192.168.0.0/16,%v4:172.**
>> 16.0.0/12
>>         oe=off
>>         protostack=klips
>> conn abc
>>         #General
>>         keyingtries=1
>>         auto=add
>>
>
> If you specify "auto=add" the other end will have to initiate the
> connection. Can you post the logs that show what happens during this time?
>
>          #IKE Params
>>         authby=secret
>>         keyexchange=ike
>>
>
> This parameter does not occur in my manpage. Which version of openswan are
> you using?
>
>
>          ikelifetime=8h
>>         ike=aes256-sha1-modp1536
>>         #IPSec Params
>>         type=tunnel
>>         auth=esp
>>         pfs=yes
>>         compress=no
>>         keylife=60m
>>         esp=aes256-sha1
>>         #pfsgroup=modp1536
>>         # Left security gateway, subnet behind it, nexthop toward right.
>>         left=my_IP
>>         leftsubnet=192.168.5.1/32
>>           right=other_comp_IP
>>           rightsubnet=some_subnet
>>
>
> As far as I can see, this is all correct.
> A general remark: in my experience it is often easier to begin with less
> specific configuration, for example:
> ike=aes
> instead of
> ike=aes256-sha1-modp1536
>
>
>  The second phase does not seem to be established. What is wrong? I believe
>> something with pfsgroup? How to properly set DH group?
>>
>
> Best regards,
>
> Roel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120829/c9705c38/attachment.html>

More information about the Users mailing list