Openswan Annoyances

Here are some problems that are easy to fix, but almost impossible to find straight answers to.

If you are using Openswan (or presumably Freeswan) for IPSec with pre-shared keys and you can't get the tunnels to connect due to a NO_PROPOSAL_CHOSEN error, you may need to add an "authby=secret" line in your connection stanza in ipsec.conf. Otherwise it defaults to rsasig, or something, and fails miserably.

If you are attempting to connect to a Cisco device, you may get an error that says "protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0". This means that the Cisco has NAT traversal configured and you don't! Even if you don't plan to use it, patch your kernel and recompile with NAT traversal support and add a nat_traversal=yes to your "config setup" stanza in ipsec.conf.

If anyone ever says something cryptic like "Let's use ESP-3DES-SHA PFS2", I discovered that you need to add the following to your connection stanza:

 pfs=yes
 auth=esp
 esp=3DES-SHA1