[Swan] 3.1 rpm package

Philippe Vouters philippe.vouters at laposte.net
Sat Mar 16 16:22:23 EET 2013 

Nick,

What about NOT commenting out ike= and phase2alg= ????

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 16/03/2013 14:48, Nick Howitt a écrit :
> OK,
>
> From "ipsec auto --status | grep -i aes | grep -i mum":
>
> 000 "MumIn"[2]:   IKE algorithms wanted: 
> AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict
> 000 "MumIn"[2]:   IKE algorithms found: 
> AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)
> 000 "MumIn"[2]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP2048
> 000 "MumIn"[2]:   ESP algorithms wanted: AES(12)_256-MD5(1)_000, 
> AES(12)_256-SHA1(2)_000; flags=-strict
> 000 "MumIn"[2]:   ESP algorithms loaded: AES(12)_256-MD5(1)_128, 
> AES(12)_256-SHA1(2)_160
> 000 "MumIn"[2]:   ESP algorithm newest: AES_256-HMAC_SHA1; 
> pfsgroup=<Phase1>
>
> This is OK in Openswan which does not have strict matching (actually 
> it appears to allow anything even 3DES when you specify AES). Is 
> Libreswan no longer the same? How would I specify ike and phase2alg to 
> match?
>
> I also thought only specifying phase2alg=aes256, it should allow 
> aes256 with MD5 or SHA1 and with any MODP
>
> Regards,
>
> Nick
>
> On 16/03/2013 13:34, Philippe Vouters wrote:
>> Nick,
>> One possible cause is a mismatch of the ike/phase2alg with the remote 
>> peer. Up to you to see whether this applies.
>>  ike=aes256-sha1;modp2048
>>  phase2alg=aes256
>> Philippe Vouters (Fontainebleau/France)
>> URL:http://vouters.dyndns.org/
>> SIP:sip:Vouters at sip.linphone.org
>> Le 16/03/2013 12:52, Nick Howitt a écrit :
>>> It is there in https://download.libreswan.org/binaries/rhel/ but I 
>>> can't get it to work :(
>>>
>>> I have installed it and with identical configs to openswan all I get 
>>> in my logs is:
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> received Vendor ID payload [Dead Peer Detection]
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> received Vendor ID payload [RFC 3947]
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
>>> Mar 16 11:43:59 server pluto[10870]: packet from 88.104.26.203:500: 
>>> initial Main Mode message received on 82.19.147.85:500 but no 
>>> connection has been authorized with policy=PSK
>>>
>>> My Ipsec.conf is:
>>> # The config file changed quite a bit from 1.x.
>>> # See 
>>> http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html
>>>
>>> version 2.0
>>>
>>> # Default policy
>>> #---------------
>>>
>>> config setup
>>>     interfaces=%defaultroute
>>>     plutodebug=none    # plutodebug="all crypt"
>>>     # plutodebug=controlmore
>>>     klipsdebug=none
>>>     oe=no
>>>     protostack=netkey    # 2.6.x only
>>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24
>>>     nat_traversal=yes
>>>
>>>
>>> conn %default
>>>     type=tunnel
>>>     authby=secret
>>>
>>> # Tunnels defined in separate files
>>> #----------------------------------
>>>
>>> include /etc/ipsec.d/ipsec.*.conf
>>>
>>>
>>> One of the sub files, /etc/ipsec.d/ipsec.unmanaged.MumIn.conf, is:
>>> conn MumIn
>>>  type=tunnel
>>>  authby=secret
>>>  dpdtimeout=120
>>>  dpddelay=30
>>>  auto=add
>>>  left=%defaultroute
>>>  leftsourceip=192.168.2.1
>>>  leftsubnet=192.168.2.0/24
>>>  leftid=@Nick
>>>  right=%any
>>>  rightsubnet=192.168.10.0/24
>>>  salifetime=24h
>>>  dpdaction=clear
>>>  ikelifetime=24h
>>>  ike=aes256-sha1;modp2048
>>>  phase2alg=aes256
>>>  rekey=no
>>>
>>> The secrets file contains:
>>> @Nick %any : PSK "PSK_Here"
>>>
>>> This happens for both my remote locations. One is behind NAT, the 
>>> other is not.
>>>
>>> Regards,
>>>
>>> Nick
>>>
>>> On 16/03/2013 11:42, T.J. Yang wrote:
>>>> Hi Paul,
>>>>
>>>> Is there outstanding/roadblock  issue ?
>>>> Hoping you can release libreswan 3.1 CentOS/RHEL 6 package to repo 
>>>> soon.
>>>>
>>>>
>>>> Thanks
>>>>
>>>> tj
>>>>
>>>> -- 
>>>> T.J. Yang
>>>>
>>>>
>>>> _______________________________________________
>>>> Swan mailing list
>>>> Swan at lists.libreswan.org
>>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>
>>>
>>>
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130316/03267467/attachment.html>

More information about the Swan mailing list