<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
Yep I had the remote networks switched, tunnel up traffic passing now. Thanks for the help :)<br><br>> Subject: Antwort: [Openswan Users] Openswan Cisco ASA<br>> To: wheelo_01@hotmail.com<br>> CC: users@openswan.org; users-bounces@openswan.org<br>> From: frank.mayer@knapp.com<br>> Date: Thu, 17 Apr 2008 18:50:49 +0200<br>> <br>> Hello,<br>> <br>> I'm not sure about a Cisco ASA, but with a Cisco Router I'd say the cryto<br>> map entry of the Cisco device was had an access list that specified<br>> different networks to be tunnelled.<br>> <br>> One thing I found helpful in the past was having the other end of the<br>> Tunnel try establishing the connection: Openswan's log entries in that case<br>> give more information, e.g. which networks the peer wants to tunnel (if it<br>> does try so at all; if it does not, then I'm rather sure, the Cisco-end has<br>> local and remote networks switched in its access list for the tunnel:<br>> that's a common error).<br>> <br>> Best Regards<br>> <br>> Frank Mayer<br>> Customer Service Engineering<br>> -----------------------------<br>> Phone: +43 316 495-5640<br>> Fax: +43 316 491 395<br>> frank.mayer@knapp.com<br>> www.KNAPP.com<br>> -----------------------------<br>> KNAPP Logistik Automation GmbH<br>> Guenter-Knapp-Str. 5-7<br>> 8075 Hart bei Graz, Austria<br>> -----------------------------<br>> Commercial register number: FN 36404k<br>> Commercial register court: Graz<br>> -----------------------------<br>> The information in this e-mail (including any attachment) is confidential<br>> and intended to be for the use of the addressee(s) only. If you have<br>> received the e-mail by mistake, any disclosure, copy, distribution or use<br>> of the contents of the e-mail is prohibited, and you must delete the e-mail<br>> from your system. As e-mail can be changed electronically KNAPP assumes no<br>> responsibility for any alteration to this e-mail or its attachments. KNAPP<br>> has taken every reasonable precaution to ensure that any attachment to this<br>> e-mail has been swept for virus. However, KNAPP does not accept any<br>> liability for damage sustained as a result of such attachment being virus<br>> infected and strongly recommend that you carry out your own virus check<br>> before opening any attachment.<br>> <br>> <br>> <br>> <br>> <br>> Paul Whelan <br>> <wheelo_01@hotmai <br>> l.com> An <br>> Gesendet von: <users@openswan.org> <br>> users-bounces@ope Kopie <br>> nswan.org <br>> Thema <br>> [Openswan Users] Openswan Cisco <br>> 04/17/2008 06:37 ASA <br>> PM <br>> <br>> <br>> <br>> <br>> <br>> <br>> <br>> <br>> <br>> Hello<br>> <br>> I'm trying to setup a tunnel between openswan 2.4.9 (i've also tried 2.4.11<br>> aswell) and a cisco ASA, however i am getting the errors below. As can be<br>> seen<br>> <br>> phase 1 ike succeeds, however phase 2 doesn't.<br>> <br>> <br>> *****************************<br>> <br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: initiating Main Mode<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID<br>> payload [FRAGMENTATION c0000000]<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state<br>> STATE_MAIN_I1 to state STATE_MAIN_I2<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I2: sent MI2,<br>> expecting MR2<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID<br>> payload [Cisco-Unity]<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID<br>> payload [XAUTH]<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring unknown Vendor<br>> ID payload [42fc5a89d3e07f949aed6dc2a8e20893]<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID<br>> payload [Cisco VPN 3000 Series]<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: I did not send a<br>> certificate because I do not have one.<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state<br>> STATE_MAIN_I2 to state STATE_MAIN_I3<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I3: sent MI3,<br>> expecting MR3<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID<br>> payload [Dead Peer Detection]<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: Main mode peer ID is<br>> ID_IPV4_ADDR: '192.168.10.2'<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state<br>> STATE_MAIN_I3 to state STATE_MAIN_I4<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I4: ISAKMP SA<br>> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192<br>> prf=oakley_md5<br>> <br>> group=modp1024}<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #6: initiating Quick Mode<br>> PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring informational<br>> payload, type INVALID_ID_INFORMATION<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received and ignored<br>> informational message<br>> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Delete SA<br>> payload: deleting ISAKMP State #5<br>> Apr 17 16:41:14 localhost pluto[2784]: packet from 192.168.10.2:500:<br>> received and ignored informational message<br>> <br>> <br>> **************************<br>> My ipsec.conf<br>> <br>> conn con0<br>> rightsubnet=9.0.0.1/24<br>> leftsubnet=11.0.0.1/24<br>> also=gw-to-gw<br>> conn con1<br>> rightsubnet=9.0.1.3/24<br>> leftsubnet=11.0.1.3/24<br>> also=gw-to-gw<br>> conn gw-to-gw<br>> left=192.168.10.2<br>> right=192.168.10.1<br>> esp=3des-md5<br>> authby=secret<br>> type=tunnel<br>> auto=add<br>> rekey=yes<br>> keylife=8h<br>> ike=3des-md5-modp1024<br>> aggrmode=no<br>> pfs=no<br>> compress=no<br>> <br>> ************************************<br>> <br>> On the cisco side of things I get error messages:<br>> <br>> 713061:Group =192.168.10.1, IP = 192.168.10.1, Rejecting IPSec tunnel: no<br>> matching crypto map entry for remote proxy 9.0.1.0/255.255.255.0/0/0 local<br>> proxy<br>> <br>> 11.0.1.0/255.255.255.0/0/0/0 on interface gw2<br>> <br>> I've looked up this error, which is basically complaining that the tunnel<br>> address on both sides dont match. However I've checked all my addresses and<br>> they<br>> <br>> match.<br>> <br>> One thing wrong to notice from the error is 9.0.1.0 and 11.0.1.0, as i have<br>> 9.0.0.1 and 11.0.0.1 configured both in ipsec.conf and on the cisco asa.<br>> <br>> I've tried googling all the error messages, but nothing I've found hasn't<br>> helped. I've plugged my Openswan side into another openswan configured with<br>> the ip<br>> <br>> of the cisco asa side and the tunnel came up fine. Am i missing anything<br>> from my config file needed to communicate with ASA?<br>> <br>> Regards,<br>> Paul Whelan<br>> <br>> <br>> <br>> <br>> <br>> <br>> Pack up or back up–use SkyDrive to transfer files or keep extra copies.<br>> Learn how._______________________________________________<br>> Users@openswan.org<br>> http://lists.openswan.org/mailman/listinfo/users<br>> Building and Integrating Virtual Private Networks with Openswan:<br>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br><br /><hr />Going green? <a href='http://green.msn.com/galleries/photos/photos.aspx?gid=164&ocid=T003MSN51N1653A' target='_new'>See the top 12 foods to eat organic.</a></body>
</html>