I am trying to connect to Cisco ASA using OpenSwan on a Ubuntu Hardy (NATted). Im getting the tunnel up but I cannot ping anything between them. Aditionally I have another subnetwork 172.100.100.x I want to route trough that tunnel also, so in Cisco ASA we configured it this IPSec tunnel to accept traffic from both networks and in the linux box we enabled IP Forwarding.<br>
<br>root@hostname:/home/ubuntu# ipsec whack --name connname --initiate<br>002 "conname" #1: initiating Main Mode<br>104 "conname" #1: STATE_MAIN_I1: initiate<br>003 "conname" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>
003 "conname" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]<br>002 "conname" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03<br>002 "conname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
106 "conname" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>003 "conname" #1: received Vendor ID payload [Cisco-Unity]<br>003 "conname" #1: received Vendor ID payload [XAUTH]<br>003 "conname" #1: ignoring unknown Vendor ID payload [af0b2f2b6db2bf2f75de7d071864b8c5]<br>
003 "conname" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]<br>002 "conname" #1: I did not send a certificate because I do not have one.<br>003 "conname" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed<br>
002 "conname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>108 "conname" #1: STATE_MAIN_I3: sent MI3, expecting MR3<br>003 "conname" #1: received Vendor ID payload [Dead Peer Detection]<br>
002 "conname" #1: Main mode peer ID is ID_IPV4_ADDR: '81.x.x.x'<br>002 "conname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>004 "conname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>
002 "conname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}<br>117 "conname" #2: STATE_QUICK_I1: initiate<br>002 "conname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>
004 "conname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0x6fda3167 <0x13d53d8b xfrm=3DES_0-HMAC_SHA1 NATD=81.x.x.x:4500 DPD=none}<br><br>This is my config file:<br><br># basic configuration<br>
config setup<br> klipsdebug=all<br> plutodebug=all<br> nat_traversal=yes<br> nhelpers=1<br> interfaces="ipsec0=eth0"<br><br># Add connections here<br>conn morrison<br> type=tunnel<br> left=10.228.105.171<br>
leftid=79.x.x.x<br> right=81.x.x.x #IP address of your morrison router<br> rightsubnet=<a href="http://172.16.200.0/24">172.16.200.0/24</a><br> rightid=81.x.x.x<br> authby=secret<br> auto=add<br>
auth=esp<br>
esp=3des-sha1<br> ike=3des-sha1-modp1024<br> pfs=no<br> forceencaps=yes<br># keyingtries=1<br># aggrmode=yes<br><br># sample VPN connections, see /etc/ipsec.d/examples/<br><br>#Disable Opportunistic Encryption<br>
include /etc/ipsec.d/examples/no_oe.conf<br><br>And my ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>
Linux Openswan U2.4.9/K2.6.24-10-xen (netkey)<br>
Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [OK]<br>NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]<br>
ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>
Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br>
<br>On the CISCO ASA I'm getting this:<br>No translation group found for udp src outside: <a href="http://10.228.105.171/44079">10.228.105.171/44079</a> dst inside: <a href="http://172.16.200.95/33522">172.16.200.95/33522</a><br>
<br>We have spent days on it and we cannot make it work.<br><br>Thank you in advance.<br><br>
<pre>Cloudreach Limited is a limited company registered in England with registered number 06975407
The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.
This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.