[Openswan Users] NAT Traversal, No Proposal Chosen, No Preshared Key, Oakley Authentication Method

Dane Ruyle druyle at certona.com
Tue Jul 21 12:58:14 EDT 2015 

Resending.....  Any help?


I rolled out Openswan in AWS in 2 different VPC's so they could talk to each other,  it was up and running in less than 30 minutes.   This is simple!!

It works very well, want to move everything to Openswan from local site A to the Openswan instance in AWS because my very very old firewall cannot handle so much IPSEC.

Rolled out Ubuntu 14.04 LTS, apt-get install openswan.  It is behind a firewall, which I guess I need to enable NAT Traversal (it was already enabled).

Many attempts at setting this up, the constant is "Site A-AWS"  xxx Can't authenticate:  no preshared key for "aaa.bbb.ccc.ddd" "eee.fff.ggg.hhh".

I've downloaded the newest version of openswan on the local Site A box - compiled, started getting errors when trying to enable NAT traversal or add it into the Kernel or whatever.
According to my findings, it looks like NAT traversal is part of the kernel.
It looks like it installed OK because now I am seeing new messages about Oakley Authentication?   No idea what this is.  What happened to Netkey?  No idea what that is.

The secrets file is simple.  The conf file is simple.

How can something be so easy to setup in AWS and such a pain outside AWS?  

ATTEMPT #1 - copy/modify working AWS config Site A  Openswan version on apt-get, did not note it.

"sitea-aws.conf" 
conn colo1-to-nca
        type=tunnel
        authby=secret
        left=192.168.0.13
        leftid=xxx.xxx.xxx.204
        leftnexthop=10.103.0.11
        leftsubnet=192.168.0.0/24
        right=xxx.xxx.xxx.105
        rightsubnet=10.103.0.0/16
        pfs=yes
        auto=start

"sitea-aws.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"


RIGHT - AWS  Openswan 2.6.37
"sitea-aws.conf"
conn aws-sitea
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=xxx.xxx.xxx.105
        leftnexthop=%defaultroute
        leftsubnet=10.103.0.0/16
        right=xxx.xxx.xxx.204
        rightsubnets=192.168.0.0/24,172.21.0.0/16
        pfs=yes
        auto=start

"sitea-aws.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"


ATTEMPT #2 - using configurator
Site A  Upgraded Openswan to version 2.6.43 "tunnel1.conf"
conn sitea-nca
        type=tunnel
        auth=esp
        authby=secret
        ikelifetime=1440m
        rekeymargin=10m
        rekeyfuzz=0%
        keylife=3600s
        esp=3des-md5
        ike=3des-md5
        keyexchange=ike
        pfs=yes
        left=192.168.0.13
        leftsubnet=192.168.0.0/24
        leftnexthop=%defaultroute
        leftid=xxx.xxx.xxx.204
        right=xxx.xxx.xxx.105
        rightsubnet=10.103.0.0/16
        rightnexthop=%defaultroute
        rightid=xxx.xxx.xxx.105
        auto=start

"tunnel1.secrets"
xxx.xxx.xxx.204 xxx.xxx.xxx.105: PSK "keyhere"


AWS Side
conn colo1-sitea
        type=tunnel
        auth=esp
        authby=secret
        ikelifetime=1440m
        rekeymargin=10m
        rekeyfuzz=0%
        keylife=3600s
        esp=3des-md5
        ike=3des-md5
        keyexchange=ike
        pfs=yes
        left=10.103.0.11
        leftsubnet=10.103.0.0/16
        leftnexthop=%defaultroute
        leftid=xxx.xxx.xxx.105
        right=xxx.xxx.xxx.204
        rightsubnet=192.168.0.0/24
        rightnexthop=%defaultroute
        rightid=xxx.xxx.xxx.204
        auto=start

"tunnel1.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"

I've tried many different things, never got past the preshared key problem.

More information about the Users mailing list