[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] NAT Traversal, No Proposal Chosen, No Preshared Key, Oakley Authentication Meth
From: Dane Ruyle <druyle () certona ! com>
Date: 2015-07-21 16:58:14
Message-ID: 84C7DD74E948A240AEF1CEBB78267B7D015AD301 () ORD2MBX09A ! mex05 ! mlsrvr ! com
[Download RAW message or body]
Resending..... Any help?
I rolled out Openswan in AWS in 2 different VPC's so they could talk to each other, \
it was up and running in less than 30 minutes. This is simple!!
It works very well, want to move everything to Openswan from local site A to the \
Openswan instance in AWS because my very very old firewall cannot handle so much \
IPSEC.
Rolled out Ubuntu 14.04 LTS, apt-get install openswan. It is behind a firewall, \
which I guess I need to enable NAT Traversal (it was already enabled).
Many attempts at setting this up, the constant is "Site A-AWS" xxx Can't \
authenticate: no preshared key for "aaa.bbb.ccc.ddd" "eee.fff.ggg.hhh".
I've downloaded the newest version of openswan on the local Site A box - compiled, \
started getting errors when trying to enable NAT traversal or add it into the Kernel \
or whatever. According to my findings, it looks like NAT traversal is part of the \
kernel. It looks like it installed OK because now I am seeing new messages about \
Oakley Authentication? No idea what this is. What happened to Netkey? No idea \
what that is.
The secrets file is simple. The conf file is simple.
How can something be so easy to setup in AWS and such a pain outside AWS?
ATTEMPT #1 - copy/modify working AWS config Site A Openswan version on apt-get, did \
not note it.
"sitea-aws.conf"
conn colo1-to-nca
type=tunnel
authby=secret
left=192.168.0.13
leftid=xxx.xxx.xxx.204
leftnexthop=10.103.0.11
leftsubnet=192.168.0.0/24
right=xxx.xxx.xxx.105
rightsubnet=10.103.0.0/16
pfs=yes
auto=start
"sitea-aws.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"
RIGHT - AWS Openswan 2.6.37
"sitea-aws.conf"
conn aws-sitea
type=tunnel
authby=secret
left=%defaultroute
leftid=xxx.xxx.xxx.105
leftnexthop=%defaultroute
leftsubnet=10.103.0.0/16
right=xxx.xxx.xxx.204
rightsubnets=192.168.0.0/24,172.21.0.0/16
pfs=yes
auto=start
"sitea-aws.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"
ATTEMPT #2 - using configurator
Site A Upgraded Openswan to version 2.6.43 "tunnel1.conf"
conn sitea-nca
type=tunnel
auth=esp
authby=secret
ikelifetime=1440m
rekeymargin=10m
rekeyfuzz=0%
keylife=3600s
esp=3des-md5
ike=3des-md5
keyexchange=ike
pfs=yes
left=192.168.0.13
leftsubnet=192.168.0.0/24
leftnexthop=%defaultroute
leftid=xxx.xxx.xxx.204
right=xxx.xxx.xxx.105
rightsubnet=10.103.0.0/16
rightnexthop=%defaultroute
rightid=xxx.xxx.xxx.105
auto=start
"tunnel1.secrets"
xxx.xxx.xxx.204 xxx.xxx.xxx.105: PSK "keyhere"
AWS Side
conn colo1-sitea
type=tunnel
auth=esp
authby=secret
ikelifetime=1440m
rekeymargin=10m
rekeyfuzz=0%
keylife=3600s
esp=3des-md5
ike=3des-md5
keyexchange=ike
pfs=yes
left=10.103.0.11
leftsubnet=10.103.0.0/16
leftnexthop=%defaultroute
leftid=xxx.xxx.xxx.105
right=xxx.xxx.xxx.204
rightsubnet=192.168.0.0/24
rightnexthop=%defaultroute
rightid=xxx.xxx.xxx.204
auto=start
"tunnel1.secrets"
xxx.xxx.xxx.105 xxx.xxx.xxx.204: PSK "keyhere"
I've tried many different things, never got past the preshared key problem.
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic