[Openswan Users] NAT Traversal, No Proposal Chosen, No Preshared Key, Oakley Authentication Method
Dane Ruyle
druyle at certona.com
Fri Jul 10 19:41:52 EDT 2015
I've been trying to figure this out on my own for over a week, now I am reaching out, frustrated.
I rolled out Openswan in AWS in 2 different VPC's so they could talk to each other, it was up and running in less than 30 minutes. This is simple!!
It works very well, want to move everything to Openswan from local site A to the Openswan instance in AWS because my very very old firewall cannot handle so much IPSEC.
Rolled out Ubuntu 14.04 LTS, apt-get install openswan. It is behind a firewall, which I guess I need to enable NAT Traversal (it was already enabled).
Many attempts at setting this up, the constant is "Site A-AWS" xxx Can't authenticate: no preshared key for "aaa.bbb.ccc.ddd" "eee.fff.ggg.hhh".
I've downloaded the newest version of openswan on the local Site A box - compiled, started getting errors when trying to enable NAT traversal or add it into the Kernel or whatever.
According to my findings, it looks like NAT traversal is part of the kernel.
It looks like it installed OK because now I am seeing new messages about Oakley Authentication? No idea what this is. What happened to Netkey? No idea what that is.
The secrets file is simple. The conf file is simple.
How can something be so easy to setup in AWS and such a pain outside AWS?
ATTEMPT #1 - copy/modify working AWS config
Site A Openswan version on apt-get, did not note it.
"sitea-aws.conf"
conn colo1-to-nca
type=tunnel
authby=secret
left=192.168.0.13
leftid=xxx.xxx.xxx.204
leftnexthop=10.103.0.11
leftsubnet=192.168.0.0/24
right=xxx.xxx.xxx.105
rightsubnet=10.103.0.0/16
pfs=yes
auto=start
"sitea-aws.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"
RIGHT - AWS Openswan 2.6.37
"sitea-aws.conf"
conn aws-sitea
type=tunnel
authby=secret
left=%defaultroute
leftid=xxx.xxx.xxx.105
leftnexthop=%defaultroute
leftsubnet=10.103.0.0/16
right=xxx.xxx.xxx.204
rightsubnets=192.168.0.0/24,172.21.0.0/16
pfs=yes
auto=start
"sitea-aws.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"
ATTEMPT #2 - using configurator
Site A Upgraded Openswan to version 2.6.43
"tunnel1.conf"
conn sitea-nca
type=tunnel
auth=esp
authby=secret
ikelifetime=1440m
rekeymargin=10m
rekeyfuzz=0%
keylife=3600s
esp=3des-md5
ike=3des-md5
keyexchange=ike
pfs=yes
left=192.168.0.13
leftsubnet=192.168.0.0/24
leftnexthop=%defaultroute
leftid=xxx.xxx.xxx.204
right=xxx.xxx.xxx.105
rightsubnet=10.103.0.0/16
rightnexthop=%defaultroute
rightid=xxx.xxx.xxx.105
auto=start
"tunnel1.secrets"
xxx.xxx.xxx.204 xxx.xxx.xxx.105: PSK "keyhere"
AWS Side
conn colo1-sitea
type=tunnel
auth=esp
authby=secret
ikelifetime=1440m
rekeymargin=10m
rekeyfuzz=0%
keylife=3600s
esp=3des-md5
ike=3des-md5
keyexchange=ike
pfs=yes
left=10.103.0.11
leftsubnet=10.103.0.0/16
leftnexthop=%defaultroute
leftid=xxx.xxx.xxx.105
right=xxx.xxx.xxx.204
rightsubnet=192.168.0.0/24
rightnexthop=%defaultroute
rightid=xxx.xxx.xxx.204
auto=start
"tunnel1.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"
I've tried many different things, never got past the preshared key problem.
Very frustrated, appreciate pointing out what I am doing wrong.
More information about the Users
mailing list