[Openswan Users] Site-to-site VPN with openswan
sopel1000 at gmail.com
Wed Aug 29 04:08:17 EDT 2012
Yes, the shared key line is formatted in the following way: 184.108.40.206 220.127.116.11:
PSK "sharedkey" .
I changed auto=add to auto=start hoping it would help, but it didn't:
ipsec auto --up conn
> 104 "conn" #1616: STATE_MAIN_I1: initiate
> 010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "conn" #1616: STATE_MAIN_I1: retransmission; will wait 40s for response
> 031 "conn" #1616: max number of retransmissions (2) reached STATE_MAIN_I1.
> No response (or no acceptable response) to our first IKE message
I'm not sure if that's correct: ike=aes256-sha1-modp1536, but if they say: Key
Exchange Encryption: AES256 Data integrity: SHA1 and DH group 5, do you
think this line is not correct (ike=aes256-sha1-modp1536)? I cannot
influence that, I have to adjust...
I am using: Linux Openswan U2.6.23/K2.6.32-31-server (netkey) Maybe the
problem is that I am not using certificates but psk? How do I check if I
can use klips (which I believe I should use instead of netkey).
2012/8/29 Roel van Meer <roel.vanmeer at bokxing.nl>
> Jakub Sobczak writes:
> I have never setup a live openSwan VPN tunnel, so please be understanding
>> I received the following config details to establish connection to the
>> company's gateway:
>> Key Exchange Encryption: AES256 Data integrity: SHA1
>> IKE SA renegotiation: 8 hrs Aggresive mode: No
>> Use DH group: 1536 (group 5)
>> Authentication: PSK
>> IKE phase 2
>> Data Encryption: AES256 Data integrity: SHA1
>> IPSec SA renegotiation: 1 hr Aggresive mode: No
>> Perfect forward secrecy: Yes
>> Use DH group (Perfect forward secrecy) : 1536 (group 5)
>> This is my config from ipsec.conf (below). Apart from that, I also have
>> ipsec.secret with the following content: left_IP(mine)
>> right_IP(othercompany) "PSK"
> Just to be sure, the format of this needs to be:
> 18.104.22.168 22.214.171.124: PSK "sharedkey"
> config setup
>> conn abc
> If you specify "auto=add" the other end will have to initiate the
> connection. Can you post the logs that show what happens during this time?
> #IKE Params
> This parameter does not occur in my manpage. Which version of openswan are
> you using?
>> #IPSec Params
>> # Left security gateway, subnet behind it, nexthop toward right.
> As far as I can see, this is all correct.
> A general remark: in my experience it is often easier to begin with less
> specific configuration, for example:
> instead of
> The second phase does not seem to be established. What is wrong? I believe
>> something with pfsgroup? How to properly set DH group?
> Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users