search

xelerance / Openswan

Openswan
Other
853 stars 214 forks source link

Problem in ipsec.conf #231

Closed tongjiaoyuan closed 6 years ago

tongjiaoyuan commented 7 years ago

After i have found the openswan,i am very intersting in this software for what she can do.i have a HUAWEI firewall in my hands and it have a public ip address such as 122.227.36.74 and there is a subnet behide it such as 192.168.10.0/24 whose gateway is 192.168.10.1.The other end is a CentOS server,its public ip address is 47.91.101.121 and it has a private subnet which is 172.26.232.0/24 and the server's private ip address is 172.26.242.4. The filewall's security policy is "any to any" permit.the ike version i chosed v1 and v2 both.the negotiation mode i chosed auto,encryption algorithm i chosed 3des,the authentication algorithm i chosed sha1,Integrity algorithm i chosed ,the others parameters are as follows the firewall config In the CentOS server,i installed openswan and do some configration as follows.In the sysctl.conf,i added some lines such as net.ipv4.ip_forward=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 tts firewall i made some command such as

iptables -A INPUT -p udp --dport 500 -j ACCEPT

iptables -A INPUT -p tcp --dport 4500 -j ACCEPT

iptables -A INPUT -p udp --dport 4500 -j ACCEPT

iptables -t nat -A POSTROUTING -s 172.26.224.0/24 -o eth0 -j MASQUERADE

iptables -I FORWARD -s 172.26.224.0/24 -j ACCEPT

iptables -I FORWARD -d 192.168.10.0/24 -j ACCEPT

iptables -t nat -A POSTROUTING -s 172.26.224.0/24 -d 192.168.10.0/24 -j SNAT --to 47.91.104.121

AND: msandal conf the ipsec.conf i have made: protostack=netkey plutodebug=all plutostderrlog=/var/log/pluto.log dumpdir=/var/run/pluto/ nat_traversal=yes also,i redited the ipsec.secrets file. All the above are my opration.the CentOS and the HUAWEI firewall connected unsuccessfully,i diagnosed in the HUAWEI fiewall for the ipsec,it hints "the ikes negotiated but encryption algorithm or authentication algorithm or Integrity algorithm or DH group unmatched".I have tried 10 days and tried in my best but ai can't find out what went wrong,please help me.thanks!

Kimi1860 commented 7 years ago

the DH group should be modp2048

tongjiaoyuan commented 7 years ago

@Kimi1860 thanks for your help,i have redited configuration as you told me and i am trying to test.

tongjiaoyuan commented 7 years ago

@Kimi1860 it still can't work even through i changed the modp=2048.

shussain commented 7 years ago

@tongjiaoyuan is this issue still occurring? Can I go ahead and close this issue?