[Openswan Users] Unable to connect using Windows 7

Daniel Minder daniel.minder at uni-due.de
Tue Apr 15 05:56:06 EDT 2014


Hi,

Windows 7 is sending 5 proposals for a ISAKMP policy.

The first two are not supported by Openswan (OAKLEY_GROUP 20/19 = 
384/256-bit random ECP group).

The next three are aes256-sha1;modp2048, 3des-sha1;modp2048, 
3des-sha1;modp1024

However, you specified:

> conn peer-site-to-site
>         ike=aes128-sha1!
>         esp=aes128-sha1!

This restricts the algorithms for phase 1 and phase 2, but none matches 
the remaining proposals of Windows 7.

(BTW: According to the man page "!" is obsolete now. When ike is 
specified it's always strict. Also "esp" is obsolete and should be 
replaced by phase2alg.)

In contrast the L2TP-PSK-noNAT connection would match:

> conn  L2TP-PSK-noNAT
>        ike=aes256-sha1,3des-sha1!

So, I suggest to change the lines to:
conn peer-site-to-site
         ike=aes256-sha1,aes128-sha1,3des-sha1
         phase2alg=aes256-sha1,aes128-sha1,3des-sha1

Best,
Daniel

-- 
Daniel Minder
University of Duisburg-Essen, Networked Embedded Systems
http://www.nes.uni-due.de/staff/minder/


More information about the Users mailing list