On 11/24/06, <b class="gmail_sendername">Krzysztof Wiórkiewicz</b> <<a href="mailto:krwi@softwaremind.pl">krwi@softwaremind.pl</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Now after brought up ipsec we have:</blockquote><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><br></blockquote><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
004 "cisco1" #619: STATE_QUICK_I2: sent QI2, IPsec SA established<br></blockquote><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
{ESP=>0xa26168af <0xb107fa76 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}</blockquote><div><br>[...] <br></div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
when we pinging any other tunnel (for example internal_ip_5):<br><br># tcpdump -n -i our_external_interface host cisco_external_ip or host<br>internal_ip_5<br>14:40:23.373283 IP our_external_ip > cisco_external_ip: ESP(spi=0xa26168af,seq=0x1), length 92
<br>14:40:28.812884 IP our_external_ip > cisco_external_ip: ESP(spi=0xa26168af,seq=0x2), length 92<br><br>as can you see any response from Cisco router. </blockquote><div><br>I'm also struggling with connecting to a Cisco router (from Linux Openswan
U2.4.4/K2.6.11-gentoo-r5 (netkey)). You are a big step ahead of me.<br><br>How did you get Openswan to use the exact SPI (0xa26168af) that was negotiated when establishing the IPsec SA? Our openswan always flips a few bits in the SPI it puts in the outgoing ESP packets and then the Cisco doesn't know the altered SPI, so nothing works.
<br></div><br></div>The only difference to your config is that we use esp=3des-sha1 (on both ends) instead of 3des-md5-96.<br><br>Thanks,<br>/Christian<br>