<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<STYLE>.hmmessage P {
PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px
}
BODY.hmmessage {
FONT-SIZE: 10pt; FONT-FAMILY: Tahoma
}
</STYLE>
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY class=hmmessage>
<DIV dir=ltr align=left><FONT face=Arial><SPAN
class=900380417-17042008>This subnet syntax is wrong, it may be the
cause of your problem:</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial>conn
con0<BR>
rightsubnet=9.0.0.1/24<BR>
leftsubnet=11.0.0.1/24<BR>
also=gw-to-gw<BR>conn con1<BR>
rightsubnet=9.0.1.3/24<BR>
leftsubnet=11.0.1.3/24<BR>
also=gw-to-g<SPAN class=900380417-17042008>w</SPAN></FONT></DIV>
<DIV dir=ltr align=left><FONT face=Arial><FONT color=#000000>Y<SPAN
class=900380417-17042008>ou probably want
(net-to-net):</SPAN></FONT><BR></FONT><FONT face=Arial color=#000000>conn
con0<BR> rightsubnet=9.0.0.<SPAN
class=900380417-17042008>0</SPAN>/24<BR>
leftsubnet=11.0.0.<SPAN
class=900380417-17042008>0</SPAN>/24<BR>
also=gw-to-gw<BR>conn con1<BR>
rightsubnet=9.0.1.<SPAN
class=900380417-17042008>0</SPAN>/24<BR>
leftsubnet=11.0.1.<SPAN
class=900380417-17042008>0</SPAN>/24<BR>
also=gw-to-gw</FONT></DIV>
<DIV dir=ltr align=left>
<DIV dir=ltr align=left><SPAN class=900380417-17042008><FONT face=Arial
color=#000000>Or this (host-to-host):</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=900380417-17042008>
<DIV dir=ltr align=left><FONT face=Arial color=#000000>conn
con0<BR> rightsubnet=9.0.0.1/<SPAN
class=900380417-17042008>32</SPAN><BR>
leftsubnet=11.0.0.1/<SPAN
class=900380417-17042008>32</SPAN><BR>
also=gw-to-gw<BR>conn con1<BR>
rightsubnet=9.0.1.3/<SPAN
class=900380417-17042008>32</SPAN><BR>
leftsubnet=11.0.1.3/<SPAN
class=900380417-17042008>32</SPAN><BR>
also=gw-to-gw</FONT></DIV></SPAN></DIV></DIV>
<DIV><FONT face=Arial color=#0000ff></FONT> </DIV>
<DIV align=left><FONT face=Arial>Peter McGill</FONT></DIV>
<DIV> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Paul
Whelan<BR><B>Sent:</B> April 17, 2008 12:37 PM<BR><B>To:</B>
users@openswan.org<BR><B>Subject:</B> [Openswan Users] Openswan Cisco
ASA<BR></FONT><BR></DIV>
<DIV></DIV>Hello<BR><BR>I'm trying to setup a tunnel between openswan 2.4.9
(i've also tried 2.4.11 aswell) and a cisco ASA, however i am getting the
errors below. As can be seen <BR><BR>phase 1 ike succeeds, however phase 2
doesn't.<BR><BR><BR>*****************************<BR><BR>Apr 17 16:41:14
localhost pluto[2784]: "con1" #5: initiating Main Mode<BR>Apr 17 16:41:14
localhost pluto[2784]: "con1" #5: ignoring Vendor ID payload [FRAGMENTATION
c0000000]<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Apr 17 16:41:14 localhost
pluto[2784]: "con1" #5: STATE_MAIN_I2: sent MI2, expecting MR2<BR>Apr 17
16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID payload
[Cisco-Unity]<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received
Vendor ID payload [XAUTH]<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5:
ignoring unknown Vendor ID payload [42fc5a89d3e07f949aed6dc2a8e20893]<BR>Apr
17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID payload
[Cisco VPN 3000 Series]<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: I
did not send a certificate because I do not have one.<BR>Apr 17 16:41:14
localhost pluto[2784]: "con1" #5: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5:
STATE_MAIN_I3: sent MI3, expecting MR3<BR>Apr 17 16:41:14 localhost
pluto[2784]: "con1" #5: received Vendor ID payload [Dead Peer
Detection]<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: Main mode peer
ID is ID_IPV4_ADDR: '192.168.10.2'<BR>Apr 17 16:41:14 localhost pluto[2784]:
"con1" #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<BR>Apr
17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 <BR><BR>group=modp1024}<BR>Apr 17 16:41:14 localhost
pluto[2784]: "con1" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#5}<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring
informational payload, type INVALID_ID_INFORMATION<BR>Apr 17 16:41:14
localhost pluto[2784]: "con1" #5: received and ignored informational
message<BR>Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Delete
SA payload: deleting ISAKMP State #5<BR>Apr 17 16:41:14 localhost pluto[2784]:
packet from 192.168.10.2:500: received and ignored informational
message<BR><BR><BR>**************************<BR>My ipsec.conf<BR><BR>conn
con0<BR>
rightsubnet=9.0.0.1/24<BR>
leftsubnet=11.0.0.1/24<BR>
also=gw-to-gw<BR>conn con1<BR>
rightsubnet=9.0.1.3/24<BR>
leftsubnet=11.0.1.3/24<BR>
also=gw-to-gw<BR>conn gw-to-gw<BR>
left=192.168.10.2<BR>
right=192.168.10.1<BR>
esp=3des-md5<BR>
authby=secret<BR>
type=tunnel<BR>
auto=add<BR>
rekey=yes<BR>
keylife=8h<BR>
ike=3des-md5-modp1024<BR>
aggrmode=no<BR>
pfs=no<BR>
compress=no<BR><BR>************************************<BR><BR>On the cisco
side of things I get error messages:<BR><BR>713061:Group =192.168.10.1, IP =
192.168.10.1, Rejecting IPSec tunnel: no matching crypto map entry for remote
proxy 9.0.1.0/255.255.255.0/0/0 local proxy
<BR><BR>11.0.1.0/255.255.255.0/0/0/0 on interface gw2<BR><BR>I've looked up
this error, which is basically complaining that the tunnel address on both
sides dont match. However I've checked all my addresses and they
<BR><BR>match.<BR><BR>One thing wrong to notice from the error is 9.0.1.0 and
11.0.1.0, as i have 9.0.0.1 and 11.0.0.1 configured both in ipsec.conf and on
the cisco asa.<BR><BR>I've tried googling all the error messages, but nothing
I've found hasn't helped. I've plugged my Openswan side into another openswan
configured with the ip <BR><BR>of the cisco asa side and the tunnel came up
fine. Am i missing anything from my config file needed to communicate with
ASA? <BR><BR>Regards,<BR>Paul Whelan<BR><BR><BR><BR><BR><BR><BR>
<HR>
Pack up or back up–use SkyDrive to transfer files or keep extra copies. <A
href="http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_packup_042008"
target=_new>Learn how.</A> </BLOCKQUOTE></BODY></HTML>