[Openswan Users] Problem setting up tunnel between openswan 2.6.48 and cisco asa 5505

Wiegmann Sebastian S.Wiegmann at ads-tec.de
Tue Dec 5 06:42:14 EST 2017 

Hi,
while im trying to set up a tunnel between my embedded router with openswan and a cisco asa.
I get the error that "we cannot identify ourselves with either end of this connection".

It would be kind if you can give me a hint.

Thanks Sebastian

ipsec_setup: Starting Openswan IPsec 2.6.48...
ipsec_setup: LAN (IPsec) -> NULL mtu=0(0) -> 0
pluto[9995]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
pluto[9995]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
pluto[9995]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
pluto[9995]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
pluto[9995]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
pluto[9995]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
pluto[9995]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
pluto[9995]: starting up 1 cryptographic helpers
pluto[9995]: adding connection: "technet-ciscoasa"
ipsec__plutorun: 002 adding connection: "technet-ciscoasa"
pluto[9995]: listening for IKE messages
pluto[9995]: adding interface LAN (IPsec)/LAN 192.168.2.110:500
pluto[9995]: loading secrets from "/etc/ipsec.secrets"
ipsec__plutorun: 002 listening for IKE messages
ipsec__plutorun: 002 adding interface LAN (IPsec)/LAN 192.168.2.110:500
ipsec__plutorun: 002 loading secrets from "/etc/ipsec.secrets"
ipsec__plutorun: 022 "technet-ciscoasa": we cannot identify ourselves with either end of this connection
ipsec__plutorun: ...could not route conn "technet-ciscoasa"
pluto[9995]: "technet-ciscoasa": We cannot identify ourselves with either end of this connection.
ipsec__plutorun: 022 "technet-ciscoasa": We cannot identify ourselves with either end of this connection.


ifconfig
------------
br0       Link encap:Ethernet  HWaddr 00:18:92:06:C5:8E
          inet addr:192.168.2.110  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:27174 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18128 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2304088 (2.1 MiB)  TX bytes:6952011 (6.6 MiB)

eth0      Link encap:Ethernet  HWaddr 00:18:92:06:C5:8E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:30365 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18126 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3756178 (3.5 MiB)  TX bytes:6950956 (6.6 MiB)
          Base address:0x8000

eth1      Link encap:Ethernet  HWaddr 00:18:92:06:C5:8F
          inet addr:10.0.0.2  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:883 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:93032 (90.8 KiB)  TX bytes:437300 (427.0 KiB)

ipsec0    Link encap:Ethernet  HWaddr 00:18:92:06:C5:8E
          inet addr:192.168.2.110  Mask:255.255.255.255
          UP RUNNING NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:10
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1297 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1297 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:429158 (419.0 KiB)  TX bytes:429158 (419.0 KiB)
###############

ipsec.conf
------------
version 2

config setup
  protostack=klips
  nat_traversal=yes
  plutodebug="crypt parsing emitting control klips"
  virtual_private=%v4:192.168.2.0/24,%v4:192.168.1.0/24

conn %default
  authby=secret
  esp=aes128-sha1
  ike=aes128-sha1;modp1024
  pfs=no
  aggrmode=no
  type=tunnel

conn technet-ciscoasa
  left=10.0.0.2
  leftid=10.0.0.2
  leftsubnet=192.168.2.0/24
  right=10.0.0.1
  rightid=10.0.0.1
  rightsubnet=192.168.1.0/24
  auto=start
#######################

ipsec.secrets
------------
10.0.0.2 10.0.0.1 : PSK 'technet'

#######################

~ # ipsec whack --status
------------
000 using kernel interface: klips
000 interface ipsec0/br0 192.168.2.110 (AF_INET)
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "technet-ciscoasa": 192.168.2.0/24===10.0.0.2...10.0.0.1===192.168.1.0/24; unrouted; eroute owner: #0
000 "technet-ciscoasa":     myip=unset; hisip=unset;
000 "technet-ciscoasa":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "technet-ciscoasa":   policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: ; kind=CK_PERMANENT
000 "technet-ciscoasa":   newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0;
000 "technet-ciscoasa":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2); flags=-strict
000 "technet-ciscoasa":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "technet-ciscoasa":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000; flags=-strict
000 "technet-ciscoasa":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000
000

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20171205/724e394c/attachment-0002.html>
-------------- next part --------------
_______________________________________________
ads-tec GmbH
Sitz: 72622 NĂ¼rtingen
Registergericht Stuttgart HRB 224527

Geschaeftsfuehrer:
Dipl.-Ing. Thomas Speidel
_______________________________________________
Diese E-Mail enthaelt vertrauliche und/oder rechtlich
geschuetzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrtuemlich erhalten
haben, informieren Sie bitte sofort den Absender und 
vernichten Sie diese E-Mail. Das unerlaubte Kopieren,
jegliche anderweitige Verwendung sowie die unbefugte
Weitergabe dieser Mail sind nicht gestattet.
_______________________________________________

This e-mail may contain confidential and/or privileged
information. If you are not the intended recipient (or have
received this e-mail in error) please notify the sender
immediately and destroy this e-mail. Any unauthorized
copying, disclosure, distribution or other use of the
material or parts thereof are strictly forbidden.
_______________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20171205/724e394c/attachment-0003.html>

More information about the Users mailing list