[Openswan Users] ipsec.conf setup help please.

Sean Smith ssmith at nanb.nb.ca
Tue Nov 26 18:00:07 UTC 2013 

Hello people.

 

I need some help getting an openSwan computer on my internal network to
connect to Juniper srx VPN device rented from our ISP.

 

Here are the settings I have been told to use from the ISP. I cannot
view these and have asked them to verify all settings at their end, as I
know we need to be exact. They do not support my setup and cannot offer
any guidance on how to connect to this device. Just the settings.

 

Here is what I was told:

 

Open firewall ports 4500, 500 and ESP protocol 50 on router

 

VPN Settings:

ipSec Tunnel

Shared Key

host ip - xxx.xxx.xxx.xxx

 

Phase 1 (IKE) Settings

Exchange Mode - Main

Encryption - AES - 128 bit

Authentication - SHA1

DH Group 2 - 3DES 

 

Phase 2 Settings

Protocol - ESP128

Encryption - AES - 256 bit

Aggressive - Main

Authentication - SHA1 DES

Key Lifetime (seconds) - 3600 - 3DES

 

Other Settings

AES - 256 bit

Perfect Forward Secrecy - Yes MD5

DH Group

DH Group 2 - 3DES SHA1

 

Once you have your tunnel up, you should be able to SSH to your server
with the following

connection information:

IP: 192.168.12.1

 

My network has a public IP configured on a Cisco Router

yyy.yyy.yyy.yyy

 

And the computers behind it are all on a .16 subnet

192.168.16.xx

 

I have researched and tried to get my ipsec.conf file ready for this.

 

config setup
        interfaces="%defaultroute"
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        klipsdebug=all
        #plutodebug="control parsing"
        plutodebug=all
        # For Red Hat Enterprise Linux and Fedora, leave
protostack=netkey
        protostack=netkey
        nat_traversal=yes
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/"
#include /etc/ipsec.d/*.conf
conn aliantVPN
        authby=secret
        auto=start
        type=tunnel
        #left=192.168.16.yy
        left=yyy.yyy.yyy.yyy
        leftnexthop=%defaultroute
        leftsubnet=192.168.16.0/24
        right=xxx.xxx.xxx.xxx
        rightsubnet=192.168.12.0/24
        rightnexthop=%defaultroute
        keylife=3600s
        #esp=
        #ike=AES128-sha1
        phase2=esp
        phase2alg=aes256-sha1

 

However, I get 2 errors depending on small changes to the file. 

 

If I use the left IP as my public IP then I see "We cannot identify
ourselves with the other end of this connection" errors in secure.log

If I use the left IP as my internal openSwan computer IP then I see
"No_PROPOSAL_CHOSEN" errors in secure.log

 

Any suggestions help is greatly appreciated.

 

Thank you.

Sean

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131126/57dae37c/attachment.html>

More information about the Users mailing list