<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Nick,<br>
<br>
Oops !!! Sorry !!! I just meant NOT specifying ike= and phase2alg=
OR commenting them out.<br>
What does happen in such case ?<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 16/03/2013 16:56, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:51449643.5080704@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Philippe,<br>
<br>
They are not commented out. See the conf file below.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 16/03/2013 14:22, Philippe Vouters
wrote:<br>
</div>
<blockquote cite="mid:5144801F.8020306@laposte.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Nick,<br>
<br>
What about NOT commenting out ike= and phase2alg= ????<br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 16/03/2013 14:48, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:51447827.3090500@gmail.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
OK,<br>
<br>
From "ipsec auto --status | grep -i aes | grep -i mum":<br>
<br>
000 "MumIn"[2]: IKE algorithms wanted:
AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict<br>
000 "MumIn"[2]: IKE algorithms found:
AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)<br>
000 "MumIn"[2]: IKE algorithm newest:
AES_CBC_256-SHA1-MODP2048<br>
000 "MumIn"[2]: ESP algorithms wanted:
AES(12)_256-MD5(1)_000, AES(12)_256-SHA1(2)_000; flags=-strict<br>
000 "MumIn"[2]: ESP algorithms loaded:
AES(12)_256-MD5(1)_128, AES(12)_256-SHA1(2)_160<br>
000 "MumIn"[2]: ESP algorithm newest: AES_256-HMAC_SHA1;
pfsgroup=<Phase1><br>
<br>
This is OK in Openswan which does not have strict matching
(actually it appears to allow anything even 3DES when you
specify AES). Is Libreswan no longer the same? How would I
specify ike and phase2alg to match?<br>
<br>
I also thought only specifying phase2alg=aes256, it should
allow aes256 with MD5 or SHA1 and with any MODP<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 16/03/2013 13:34, Philippe
Vouters wrote:<br>
</div>
<blockquote cite="mid:514474E0.10500@laposte.net" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">Nick,<br>
One possible cause is a mismatch of the ike/phase2alg with
the remote peer. Up to you to see whether this applies.<br>
<tt> ike=aes256-sha1;modp2048</tt><tt><br>
</tt><tt> phase2alg=aes256</tt><br>
<pre class="moz-signature" cols="72">Philippe Vouters (Fontainebleau/France)
URL: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://vouters.dyndns.org/">http://vouters.dyndns.org/</a>
SIP: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:sip:Vouters@sip.linphone.org">sip:Vouters@sip.linphone.org</a></pre>
Le 16/03/2013 12:52, Nick Howitt a écrit :<br>
</div>
<blockquote cite="mid:51445CF2.5050008@gmail.com"
type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
It is there in <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://download.libreswan.org/binaries/rhel/">https://download.libreswan.org/binaries/rhel/</a>
but I can't get it to work :(<br>
<br>
I have installed it and with identical configs to openswan
all I get in my logs is:<br>
<tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: received Vendor ID payload [Dead Peer
Detection]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: received Vendor ID payload [RFC 3947]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: ignoring Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]</tt><tt><br>
</tt><tt>Mar 16 11:43:59 server pluto[10870]: packet from
88.104.26.203:500: initial Main Mode message received on
82.19.147.85:500 but no connection has been authorized
with policy=PSK</tt><br>
<br>
My Ipsec.conf is:<br>
<tt># The config file changed quite a bit from 1.x.</tt><tt><br>
</tt><tt># See <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html">http://www.freeswan.org/freeswan_trees/freeswan-2.00/doc/upgrading.html</a></tt><tt><br>
</tt><tt><br>
</tt><tt>version 2.0</tt><tt><br>
</tt><tt><br>
</tt><tt># Default policy </tt><tt><br>
</tt><tt>#---------------</tt><tt><br>
</tt><tt><br>
</tt><tt>config setup</tt><tt><br>
</tt><tt> interfaces=%defaultroute</tt><tt><br>
</tt><tt> plutodebug=none # plutodebug="all crypt"</tt><tt><br>
</tt><tt> # plutodebug=controlmore</tt><tt><br>
</tt><tt> klipsdebug=none</tt><tt><br>
</tt><tt> oe=no</tt><tt><br>
</tt><tt> protostack=netkey # 2.6.x only</tt><tt><br>
</tt><tt>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.2.0/24,%v4:!192.168.3.0/24</tt><tt><br>
</tt><tt> nat_traversal=yes</tt><tt><br>
</tt><tt><br>
</tt><tt><br>
</tt><tt>conn %default</tt><tt><br>
</tt><tt> type=tunnel</tt><tt><br>
</tt><tt> authby=secret</tt><tt><br>
</tt><tt><br>
</tt><tt># Tunnels defined in separate files</tt><tt><br>
</tt><tt>#----------------------------------</tt><tt><br>
</tt><tt><br>
</tt><tt>include /etc/ipsec.d/ipsec.*.conf</tt><br>
<br>
<br>
One of the sub files,
/etc/ipsec.d/ipsec.unmanaged.MumIn.conf, is:<br>
<tt>conn MumIn</tt><tt><br>
</tt><tt> type=tunnel</tt><tt><br>
</tt><tt> authby=secret</tt><tt><br>
</tt><tt> dpdtimeout=120</tt><tt><br>
</tt><tt> dpddelay=30</tt><tt><br>
</tt><tt> auto=add</tt><tt><br>
</tt><tt> left=%defaultroute</tt><tt><br>
</tt><tt> leftsourceip=192.168.2.1</tt><tt><br>
</tt><tt> leftsubnet=192.168.2.0/24</tt><tt><br>
</tt><tt> leftid=@Nick</tt><tt><br>
</tt><tt> right=%any</tt><tt><br>
</tt><tt> rightsubnet=192.168.10.0/24</tt><tt><br>
</tt><tt> salifetime=24h</tt><tt><br>
</tt><tt> dpdaction=clear</tt><tt><br>
</tt><tt> ikelifetime=24h</tt><tt><br>
</tt><tt> ike=aes256-sha1;modp2048</tt><tt><br>
</tt><tt> phase2alg=aes256</tt><tt><br>
</tt><tt> rekey=no</tt><tt><br>
</tt><br>
The secrets file contains:<br>
<tt>@Nick %any : PSK "PSK_Here"</tt><br>
<br>
This happens for both my remote locations. One is behind
NAT, the other is not.<br>
<br>
Regards,<br>
<br>
Nick<br>
<br>
<div class="moz-cite-prefix">On 16/03/2013 11:42, T.J.
Yang wrote:<br>
</div>
<blockquote
cite="mid:CAD2GW8o1duXb-==LuhxkspXHwKWCn_QOjKc1izjxMFsduqpJ_g@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Paul,
<div><br>
</div>
<div style="">Is there outstanding/roadblock issue ?</div>
<div>Hoping you can release libreswan 3.1 CentOS/RHEL
6 package to repo soon.</div>
<div><br>
</div>
<div><br>
</div>
<div style="">Thanks</div>
<div style=""><br>
</div>
<div>tj<br clear="all">
<div><br>
</div>
-- <br>
T.J. Yang </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Swan mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Swan@lists.libreswan.org">Swan@lists.libreswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.libreswan.org/mailman/listinfo/swan">https://lists.libreswan.org/mailman/listinfo/swan</a>
</pre>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>