[Openswan Users] LAN to LAN IPsec setup

Paul Wouters paul at nohats.ca
Tue Feb 21 16:30:11 EST 2012


On Sun, 19 Feb 2012, Ali Jawad wrote:

> 
> Hi I am trying to setup a LAN 2 LAN IPSec VPN connection to a 3rd party service provider, they did request the following settings :
> 
> 2. VPN Requirements
> 2.1 Minimum Protocol Requirements
> 2.1.1 IKE Phase 1 Properties
> o Encryption Algorithm AES-256
> o Data Integrity SHA-1
> o Use Per-shared Key (the same key should be used for both productions and DR configurations)
> o Aggressive mode disabled
> o Support Key exchanges per subnet
> o Diffie Helmen Group 2
> o IKE SA Life time 1440 minutes (86400 seconds)

> Other VPN settings are possible but not recommended.
> 2.1.2 IKE Phase 2 Properties
> o IPSEC protocol ESP
> o Encryption Algorithm AES-256
> o Data Integrity SHA-1
> o Perfect forwarding security (PFS) disabled.
> o IPSEC SA Life time (3600 seconds)

> I did add the shared key to ipsec.secrets and I did setup the following connection in ipsec.conf
> 
> conn NZTA-CAS-ORS type=tunnel left=My.Server.IP.Addr leftsubnet=0.0.0.0/0.0.0.0 leftid=@GroupVPN leftxauthclient=yes right=x.x.0.29
> rightsubnet=x.x.x.64/255.255.255.192 rightxauthserver=yes rightid=@NZTA keyingtries=0 pfs=no aggrmode=no keyexchange=ike auto=add auth=esp
> esp=3DES-SHA1 ike=3DES-SHA1 authby=secret

Why are you using XAUTH? I don't see that in your requirement list? If
using XAUTH, you also need a username and password for the XAUTH phase.

> TCPDUMP just shows :

Do not show tcpdump. Everything will be encrypted. If you want to
provide information, use the pluto logs. They have all the information
we need to help you (provided you can answer questions).

Paul
(no need to enable plutodebug=all!! please do not do that)



More information about the Users mailing list