IPSec (OpenSWAN)

[James McKenzie]

On 12/3/10 1:39 PM, Trever L. Adams wrote:
> Hello Everyone,
>
> I have been struggling to get OpenSWAN to work. I am trying to get a
> setup going with the following:
>
> Router<-->  Router, IPSec only, Pre-shared keys or certs (ESP, tunnel or
Get this to work in tunnel mode first.
> not)
> Router<-->  Android Phones, IPSec/L2TP, Pre-shared keys (the certs is a
> lot of messing around that I am not comfortable doing yet with other
> people's phones
Your second comment is very true.  Also, you should avoid shared secrets 
if you can.  I would recommend going with the certificate method as it 
is easier to update as well.  You did point out that you do not have 
full control of them.
> I haven't yet tried Router to Router as I have seen it said that it is
> best to get the PSK w/ L2TP working first. The error I get (sorry, don't
> have the phone to test with and I can't find it in the logs at the
> moment) says something about not finding a valid pair and ignoring the
> connection on port 500.
>
It is looking for certificates, not a pre-shared key.  Certificates are 
the default method.

As to getting your own Certificate Authority on the phones, that should 
not be hard.  Look for a good Android guide and it should point out how 
to do this.  You may be able to fall back on a Linux guide if you can 
root the box...

James McKenzie