<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Nick,<br>
<br>
What about NOT commenting out ike= and phase2alg= ????<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 16/03/2013 14:48, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:51447827.3090500@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
OK,<br>
<br>
From "ipsec auto --status | grep -i aes | grep -i mum":<br>
<br>
000 "MumIn"[2]: IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict<br>
000 "MumIn"[2]: IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)<br>
000 "MumIn"[2]: IKE algorithm newest: AES_CBC_256-SHA1-MODP2048<br>
000 "MumIn"[2]: ESP algorithms wanted: AES(12)_256-MD5(1)_000,
AES(12)_256-SHA1(2)_000; flags=-strict<br>
000 "MumIn"[2]: ESP algorithms loaded: AES(12)_256-MD5(1)_128,
AES(12)_256-SHA1(2)_160<br>
000 "MumIn"[2]: ESP algorithm newest: AES_256-HMAC_SHA1;
pfsgroup=<Phase1><br>
<br>
This is OK in Openswan which does not have strict matching
(actually it appears to allow anything even 3DES when you specify
AES). Is Libreswan no longer the same? How would I specify ike and
phase2alg to match?<br>
<br>
I also thought only specifying phase2alg=aes256, it should allow
aes256 with MD5 or SHA1 and with any MODP<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 16/03/2013 13:34, Philippe Vouters
wrote:<br>
</div>
<blockquote cite="mid:514474E0.10500@laposte.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Nick,<br>
One possible cause is a mismatch of the ike/phase2alg with the
remote peer. Up to you to see whether this applies.<br>
<tt> ike=aes256-sha1;modp2048</tt><tt><br>
</tt><tt> phase2alg=aes256</tt><br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 16/03/2013 12:52, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:51445CF2.5050008@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
It is there in <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://download.libreswan.org/binaries/rhel/">https://download.libreswan.org/binaries/rhel/</a>
but I can't get it to work :(<br>
<br>
I have installed it and with identical configs to openswan all
I get in my logs is:<br>
<tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: received Vendor ID payload [Dead Peer
Detection]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: received Vendor ID payload [RFC 3947]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: initial Main Mode message received on
82.19.147.85:500 but no connection has been authorized with
policy=PSK</tt><br>
<br>
My Ipsec.conf is:<br>
<tt># The config file changed quite a bit from 1.x.</tt><tt><br>
</tt><tt># See <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html">http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html</a></tt><tt><br>
</tt><tt><br>
</tt><tt>version 2.0</tt><tt><br>
</tt><tt><br>
</tt><tt># Default policy </tt><tt><br>
</tt><tt>#---------------</tt><tt><br>
</tt><tt><br>
</tt><tt>config setup</tt><tt><br>
</tt><tt> interfaces=%defaultroute</tt><tt><br>
</tt><tt> plutodebug=none # plutodebug="all crypt"</tt><tt><br>
</tt><tt> # plutodebug=controlmore</tt><tt><br>
</tt><tt> klipsdebug=none</tt><tt><br>
</tt><tt> oe=no</tt><tt><br>
</tt><tt> protostack=netkey # 2.6.x only</tt><tt><br>
</tt><tt>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24</tt><tt><br>
</tt><tt> nat_traversal=yes</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt>conn %default</tt><tt><br>
</tt><tt> type=tunnel</tt><tt><br>
</tt><tt> authby=secret</tt><tt><br>
</tt><tt><br>
</tt><tt># Tunnels defined in separate files</tt><tt><br>
</tt><tt>#----------------------------------</tt><tt><br>
</tt><tt><br>
</tt><tt>include /etc/ipsec.d/ipsec.*.conf</tt><br>
<br>
<br>
One of the sub files, /etc/ipsec.d/ipsec.unmanaged.MumIn.conf,
is:<br>
<tt>conn MumIn</tt><tt><br>
</tt><tt> type=tunnel</tt><tt><br>
</tt><tt> authby=secret</tt><tt><br>
</tt><tt> dpdtimeout=120</tt><tt><br>
</tt><tt> dpddelay=30</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt> left=%defaultroute</tt><tt><br>
</tt><tt> leftsourceip=192.168.2.1</tt><tt><br>
</tt><tt> leftsubnet=192.168.2.0/24</tt><tt><br>
</tt><tt> leftid=@Nick</tt><tt><br>
</tt><tt> right=%any</tt><tt><br>
</tt><tt> rightsubnet=192.168.10.0/24</tt><tt><br>
</tt><tt> salifetime=24h</tt><tt><br>
</tt><tt> dpdaction=clear</tt><tt><br>
</tt><tt> ikelifetime=24h</tt><tt><br>
</tt><tt> ike=aes256-sha1;modp2048</tt><tt><br>
</tt><tt> phase2alg=aes256</tt><tt><br>
</tt><tt> rekey=no</tt><tt><br>
</tt><br>
The secrets file contains:<br>
<tt>@Nick %any : PSK "PSK_Here"</tt><br>
<br>
This happens for both my remote locations. One is behind NAT,
the other is not.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 16/03/2013 11:42, T.J. Yang
wrote:<br>
</div>
<blockquote
cite="mid:CAD2GW8o1duXb-==LuhxkspXHwKWCn_QOjKc1izjxMFsduqpJ_g@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Paul,
<div><br>
</div>
<div style="">Is there outstanding/roadblock issue ?</div>
<div>Hoping you can release libreswan 3.1 CentOS/RHEL 6
package to repo soon.</div>
<div><br>
</div>
<div><br>
</div>
<div style="">Thanks</div>
<div style=""><br>
</div>
<div>tj<br clear="all">
<div><br>
</div>
-- <br>
T.J. Yang </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>