<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
Yep I had the remote networks switched, tunnel up traffic passing now. Thanks for the help :)<br><br>&gt; Subject: Antwort: [Openswan Users] Openswan Cisco ASA<br>&gt; To: wheelo_01@hotmail.com<br>&gt; CC: users@openswan.org; users-bounces@openswan.org<br>&gt; From: frank.mayer@knapp.com<br>&gt; Date: Thu, 17 Apr 2008 18:50:49 +0200<br>&gt; <br>&gt; Hello,<br>&gt; <br>&gt; I'm not sure about a Cisco ASA, but with a Cisco Router I'd say the cryto<br>&gt; map entry of the Cisco device was had an access list that specified<br>&gt; different networks to be tunnelled.<br>&gt; <br>&gt; One thing I found helpful in the past was having the other end of the<br>&gt; Tunnel try establishing the connection: Openswan's log entries in that case<br>&gt; give more information, e.g. which networks the peer wants to tunnel (if it<br>&gt; does try so at all; if it does not, then I'm rather sure, the Cisco-end has<br>&gt; local and remote networks switched in its access list for the tunnel:<br>&gt; that's a common error).<br>&gt; <br>&gt; Best Regards<br>&gt; <br>&gt; Frank Mayer<br>&gt; Customer Service Engineering<br>&gt; -----------------------------<br>&gt; Phone: +43 316 495-5640<br>&gt; Fax: +43 316 491 395<br>&gt; frank.mayer@knapp.com<br>&gt; www.KNAPP.com<br>&gt; -----------------------------<br>&gt; KNAPP Logistik Automation GmbH<br>&gt; Guenter-Knapp-Str. 5-7<br>&gt; 8075 Hart bei Graz, Austria<br>&gt; -----------------------------<br>&gt; Commercial register number: FN 36404k<br>&gt; Commercial register court: Graz<br>&gt; -----------------------------<br>&gt; The information in this e-mail (including any attachment) is confidential<br>&gt; and intended to be for the use of the addressee(s) only. If you have<br>&gt; received the e-mail by mistake, any disclosure, copy, distribution or use<br>&gt; of the contents of the e-mail is prohibited, and you must delete the e-mail<br>&gt; from your system. As e-mail can be changed electronically KNAPP assumes no<br>&gt; responsibility for any alteration to this e-mail or its attachments. KNAPP<br>&gt; has taken every reasonable precaution to ensure that any attachment to this<br>&gt; e-mail has been swept for virus. However, KNAPP does not accept any<br>&gt; liability for damage sustained as a result of such attachment being virus<br>&gt; infected and strongly recommend that you carry out your own virus check<br>&gt; before opening any attachment.<br>&gt; <br>&gt; <br>&gt; <br>&gt; <br>&gt;                                                                            <br>&gt;              Paul Whelan                                                   <br>&gt;              &lt;wheelo_01@hotmai                                             <br>&gt;              l.com&gt;                                                     An <br>&gt;              Gesendet von:              &lt;users@openswan.org&gt;               <br>&gt;              users-bounces@ope                                       Kopie <br>&gt;              nswan.org                                                     <br>&gt;                                                                      Thema <br>&gt;                                         [Openswan Users] Openswan Cisco    <br>&gt;              04/17/2008 06:37           ASA                                <br>&gt;              PM                                                            <br>&gt;                                                                            <br>&gt;                                                                            <br>&gt;                                                                            <br>&gt;                                                                            <br>&gt;                                                                            <br>&gt; <br>&gt; <br>&gt; <br>&gt; <br>&gt; Hello<br>&gt; <br>&gt; I'm trying to setup a tunnel between openswan 2.4.9 (i've also tried 2.4.11<br>&gt; aswell) and a cisco ASA, however i am getting the errors below. As can be<br>&gt; seen<br>&gt; <br>&gt; phase 1 ike succeeds, however phase 2 doesn't.<br>&gt; <br>&gt; <br>&gt; *****************************<br>&gt; <br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: initiating Main Mode<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID<br>&gt; payload [FRAGMENTATION c0000000]<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state<br>&gt; STATE_MAIN_I1 to state STATE_MAIN_I2<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I2: sent MI2,<br>&gt; expecting MR2<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID<br>&gt; payload [Cisco-Unity]<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID<br>&gt; payload [XAUTH]<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring unknown Vendor<br>&gt; ID payload [42fc5a89d3e07f949aed6dc2a8e20893]<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID<br>&gt; payload [Cisco VPN 3000 Series]<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: I did not send a<br>&gt; certificate because I do not have one.<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state<br>&gt; STATE_MAIN_I2 to state STATE_MAIN_I3<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I3: sent MI3,<br>&gt; expecting MR3<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID<br>&gt; payload [Dead Peer Detection]<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: Main mode peer ID is<br>&gt; ID_IPV4_ADDR: '192.168.10.2'<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state<br>&gt; STATE_MAIN_I3 to state STATE_MAIN_I4<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I4: ISAKMP SA<br>&gt; established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192<br>&gt; prf=oakley_md5<br>&gt; <br>&gt; group=modp1024}<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #6: initiating Quick Mode<br>&gt; PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring informational<br>&gt; payload, type INVALID_ID_INFORMATION<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received and ignored<br>&gt; informational message<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Delete SA<br>&gt; payload: deleting ISAKMP State #5<br>&gt; Apr 17 16:41:14 localhost pluto[2784]: packet from 192.168.10.2:500:<br>&gt; received and ignored informational message<br>&gt; <br>&gt; <br>&gt; **************************<br>&gt; My ipsec.conf<br>&gt; <br>&gt; conn con0<br>&gt;         rightsubnet=9.0.0.1/24<br>&gt;         leftsubnet=11.0.0.1/24<br>&gt;         also=gw-to-gw<br>&gt; conn con1<br>&gt;         rightsubnet=9.0.1.3/24<br>&gt;         leftsubnet=11.0.1.3/24<br>&gt;         also=gw-to-gw<br>&gt; conn gw-to-gw<br>&gt;         left=192.168.10.2<br>&gt;         right=192.168.10.1<br>&gt;         esp=3des-md5<br>&gt;         authby=secret<br>&gt;         type=tunnel<br>&gt;         auto=add<br>&gt;         rekey=yes<br>&gt;         keylife=8h<br>&gt;         ike=3des-md5-modp1024<br>&gt;         aggrmode=no<br>&gt;         pfs=no<br>&gt;         compress=no<br>&gt; <br>&gt; ************************************<br>&gt; <br>&gt; On the cisco side of things I get error messages:<br>&gt; <br>&gt; 713061:Group =192.168.10.1, IP = 192.168.10.1, Rejecting IPSec tunnel: no<br>&gt; matching crypto map entry for remote proxy 9.0.1.0/255.255.255.0/0/0 local<br>&gt; proxy<br>&gt; <br>&gt; 11.0.1.0/255.255.255.0/0/0/0 on interface gw2<br>&gt; <br>&gt; I've looked up this error, which is basically complaining that the tunnel<br>&gt; address on both sides dont match. However I've checked all my addresses and<br>&gt; they<br>&gt; <br>&gt; match.<br>&gt; <br>&gt; One thing wrong to notice from the error is 9.0.1.0 and 11.0.1.0, as i have<br>&gt; 9.0.0.1 and 11.0.0.1 configured both in ipsec.conf and on the cisco asa.<br>&gt; <br>&gt; I've tried googling all the error messages, but nothing I've found hasn't<br>&gt; helped. I've plugged my Openswan side into another openswan configured with<br>&gt; the ip<br>&gt; <br>&gt; of the cisco asa side and the tunnel came up fine. Am i missing anything<br>&gt; from my config file needed to communicate with ASA?<br>&gt; <br>&gt; Regards,<br>&gt; Paul Whelan<br>&gt; <br>&gt; <br>&gt; <br>&gt; <br>&gt; <br>&gt; <br>&gt; Pack up or back up–use SkyDrive to transfer files or keep extra copies.<br>&gt; Learn how._______________________________________________<br>&gt; Users@openswan.org<br>&gt; http://lists.openswan.org/mailman/listinfo/users<br>&gt; Building and Integrating Virtual Private Networks with Openswan:<br>&gt; http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br><br /><hr />Going green? <a href='http://green.msn.com/galleries/photos/photos.aspx?gid=164&ocid=T003MSN51N1653A' target='_new'>See the top 12 foods to eat organic.</a></body>
</html>