I've got openswan installed on a virtual machine of ubuntu, ip: 192.168.92.128. It runs on a windows machine with an ip of 200.200.200.1, which is connected by straight through cable to a Cisco ASA (200.200.200.2, and 192.168.1.0 for its internal network). So this is just an internal setup for testing some vpns with the cisco. I'm getting an error when trying to connect open swan to the asa as a site-to-site vpn.<br>
<br>003 "tunnelipsec" #1: ignoring Vendor ID payload[FRAGMENTATION c000000]<br>106 "tunnelipsec" #1: STATE_MAIN_I2: sent MI2, expecting MR2<br>010 "tunnelipsec" #1: STATE_MAIN_I2: retransmission; will wait 20s for response<br>
003 "tunnelipsec" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000<br>106 "tunnelipsec" #1: received and ignored informational message<br><br>My ipsec.conf looks like:<br><br>config setup<br>
plutodebug="all"<br> nat_traversal=yes<br> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12</a><br> oe=off<br> interfaces=%defaultroute<br>
klipsdebug=none<br><br>conn tunnelipsec<br> type= tunnel<br> authby= secret<br> left= 192.168.92.128<br> leftnexthop= 200.200.200.2<br>
leftsubnet= <a href="http://192.168.92.0/24">192.168.92.0/24</a><br> right= 200.200.200.1<br> rightnexthop= 200.200.200.1<br> rightsubnet= <a href="http://192.168.1.0/24">192.168.1.0/24</a><br>
esp= 3des-md5-96<br> keyexchange= ike<br> pfs= no<br> auto= route<br><br><br>The asa config: if you need more info than this let me know, just put what i thought to be important.<br>
<br>access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.92.0 255.255.255.0 <br>access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.92.0 255.255.0.0 <br>access-list outside_1_cryptomap extended permit ip host 200.200.200.2 192.168.1.0 255.255.255.0 <br>
access-list outside_access_in extended permit ip 192.168.92.0 255.255.255.0 192.168.1.0 255.255.255.0 <br>access-list outside_access_in extended permit ip host 200.200.200.2
192.168.1.0 255.255.255.0 <br><br><br>nat (inside) 0 access-list inside_outbound_nat0_acl<br>nat (inside) 1 0.0.0.0 0.0.0.0<br><br>access-group outside_1_cryptomap in interface outside<br><br>route outside 192.168.92.0 255.255.255.0 200.200.200.2 1<br>
<br>no sysopt connection permit-ipsec<br><br>crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac <br>crypto map outside_map 1 match address outside_1_cryptomap<br>crypto map outside_map 1 set peer 192.168.92.128<br>
crypto map outside_map 1 set transform-set ESP-3DES-MD5<br>crypto map outside_map interface outside<br><br>crypto isakmp identity address <br>crypto isakmp enable outside<br>crypto isakmp policy 10 <br> authentication pre-share<br>
encryption 3des<br> hash md5<br> group 2<br> lifetime 86400<br><br>tunnel-group 200.200.200.1 type ipsec-l2l<br>tunnel-group 200.200.200.1 ipsec-attributes<br> pre-shared-key *<br><br>Thanks,<br><br>Ryan<br><br>