<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">For have a good phase II initialization
, the acces list must be set on 2 privates subnet address 10.0.0.0 and
10.1.0.0 and on the two sides</font>
<br>
<br><font size=2 face="sans-serif">access-list 100 permit ip 10.0.0.0 0.0.0.255
10.1.0.0 0.0.0.255</font>
<br><font size=2 face="sans-serif">access-list 100 permit ip 10.1.0.0 0.0.0.255
10.0.0.0 0.0.0.255</font>
<br>
<br><font size=2 face="sans-serif">the cipher and hash parameters are set
to</font>
<br><font size=2 face="sans-serif"> ike=aes128-sha1;modp1024</font>
<br><font size=2 face="sans-serif"> phase2=esp</font>
<br><font size=2 face="sans-serif"> phase2alg=aes128-sha1;modp1024
</font>
<br><font size=2 face="sans-serif"> pfs=yes</font>
<br>
<br><font size=2 face="sans-serif">Now, the interoperability between Openswan
and CISCO IOS is Ok :)</font>
<br><font size=2 face="sans-serif">Maurice</font>
<br>
<br>
<br><font size=2 face="sans-serif">Maurice Sellin<br>
DCNS Ingénierie Navires Armés<br>
(33) 02 97 12 23 31</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Vincent Tamet <vincent.tamet@ilimit.net></b>
</font>
<br><font size=1 face="sans-serif">Envoyé par : users-bounces@openswan.org</font>
<p><font size=1 face="sans-serif">10/02/2011 15:07</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">A</font></div>
<td><font size=1 face="sans-serif">users@openswan.org</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Objet</font></div>
<td><font size=1 face="sans-serif">Re: [Openswan Users] IPSEC tunnelling
between OPENSWAN and router CISCO 1900: STATE_QUICK_I1 problem</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt>Hi,<br>
I use the -96 to connect to cisco 870 series, and works fine.<br>
esp=3des-md5-96<br>
<br>
Best regards.<br>
<br>
Vince<br>
OSG[PCQ]<br>
<br>
----- Mail original -----<br>
De: "Maurice SELLIN" <maurice.sellin@dcnsgroup.com><br>
À: users@openswan.org<br>
Envoyé: Jeudi 10 Février 2011 14:44:30<br>
Objet: [Openswan Users] IPSEC tunnelling between OPENSWAN and router CISCO
1900: STATE_QUICK_I1 problem<br>
<br>
<br>
<br>
Hello, <br>
<br>
I want to realize a IPSEC tunnel between a linux station and a cisco router
1900. <br>
But I have problems to connect the linux openswan system to the cisco router
1900 because the STATE_QUICK_I1 step is not ok. <br>
<br>
my network configuration <br>
===================== <br>
10.0.0.1 <--> 100.180.26.105 <==========> 100.180.26.106 <-->
11.0.0.1 <br>
the linux station has 2 interfaces: 10.0.0.1 and 100.189.26.105 <br>
the cisco router has 2 interfaces: 100.189.26.106 and 11.0.0.1 <br>
<br>
the message error after a connection attempt: <br>
====================================== <br>
root@sellin-HP-Compaq-dc7100-SFF-DX878AV:~# ipsec auto --verbose --up jsat
<br>
002 "jsat" #1: initiating Main Mode <br>
104 "jsat" #1: STATE_MAIN_I1: initiate <br>
003 "jsat" #1: received Vendor ID payload [RFC 3947] method set
to=109 <br>
002 "jsat" #1: enabling possible NAT-traversal with method 4
<br>
002 "jsat" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
<br>
106 "jsat" #1: STATE_MAIN_I2: sent MI2, expecting MR2 <br>
003 "jsat" #1: received Vendor ID payload [Cisco-Unity] <br>
003 "jsat" #1: received Vendor ID payload [Dead Peer Detection]
<br>
003 "jsat" #1: ignoring unknown Vendor ID payload [4d84a39fa030c5a5cc6e37f178f28f74]
<br>
003 "jsat" #1: received Vendor ID payload [XAUTH] <br>
003 "jsat" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
no NAT detected <br>
002 "jsat" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
<br>
108 "jsat" #1: STATE_MAIN_I3: sent MI3, expecting MR3 <br>
002 "jsat" #1: Main mode peer ID is ID_IPV4_ADDR: '100.180.26.106'
<br>
002 "jsat" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
<br>
004 "jsat" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024} <br>
002 "jsat" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW
{using isakmp#1 msgid:483a3931 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
<br>
117 "jsat" #2: STATE_QUICK_I1: initiate <br>
010 "jsat" #2: STATE_QUICK_I1: retransmission; will wait 20s
for response <br>
010 "jsat" #2: STATE_QUICK_I1: retransmission; will wait 40s
for response <br>
031 "jsat" #2: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes
no proposal <br>
000 "jsat" #2: starting keying attempt 2 of an unlimited number,
but releasing whack <br>
root@sellin-HP-Compaq-dc7100-SFF-DX878AV:~# <br>
<br>
the /etc/ipsec.conf file <br>
================== <br>
# This file: /usr/share/doc/openswan/ipsec.conf-sample <br>
# <br>
# Manual: ipsec.conf.5 <br>
version 2.0 # conforms to second version of ipsec.conf specification <br>
# basic configuration <br>
config setup <br>
nat_traversal=yes <br>
oe=off <br>
protostack=netkey <br>
nhelpers=0 <br>
<br>
# Add connections here <br>
# sample VPN connection <br>
# for more examples, see /etc/ipsec.d/examples/ <br>
conn jsat <br>
left=100.180.26.105 <br>
leftsubnet=10.0.0.0/24 <br>
leftnexthop=100.180.26.106 <br>
leftsourceip=10.0.0.1 <br>
<br>
right=100.180.26.106 <br>
rightsubnet=11.0.0.0/24 <br>
rightsourceip=11.0.0.1 <br>
rightnexthop=100.180.26.105 <br>
auto=add <br>
ike=3des-md5 <br>
phase2alg=3des-md5 <br>
authby=secret <br>
<br>
/etc/ipsec.secrets file <br>
================== <br>
100.180.26.105 100.180.26.106: PSK "123456789" <br>
<br>
on cisco the show running config <br>
================================ <br>
Router#show running-config <br>
Building configuration... <br>
Current configuration : 1258 bytes <br>
! <br>
! Last configuration change at 12:48:49 UTC Thu Feb 10 2011 <br>
! <br>
version 15.0 <br>
service timestamps debug datetime msec <br>
service timestamps log datetime msec <br>
no service password-encryption <br>
! <br>
hostname Router <br>
! <br>
boot-start-marker <br>
boot-end-marker <br>
! <br>
! <br>
no aaa new-model <br>
! <br>
! <br>
! <br>
! <br>
no ipv6 cef <br>
ip source-route <br>
ip cef <br>
! <br>
! <br>
! <br>
! <br>
! <br>
multilink bundle-name authenticated <br>
! <br>
! <br>
! <br>
license udi pid CISCO1941/K9 sn FHK1447783T <br>
! <br>
! <br>
! <br>
redundancy <br>
! <br>
! <br>
! <br>
! <br>
crypto isakmp policy 1 <br>
encr 3des <br>
hash md5 <br>
authentication pre-share <br>
group 2 <br>
crypto isakmp key 123456789 address 100.180.26.105 <br>
! <br>
! <br>
crypto ipsec transform-set openswan esp-3des esp-md5-hmac <br>
! <br>
crypto map openswan 10 ipsec-isakmp <br>
set peer 100.180.26.105 <br>
set transform-set openswan <br>
match address 100 <br>
! <br>
! <br>
! <br>
! <br>
! <br>
interface GigabitEthernet0/0 <br>
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$ <br>
ip address 11.0.0.1 255.255.255.0 <br>
duplex auto <br>
speed auto <br>
! <br>
! <br>
interface GigabitEthernet0/1 <br>
ip address 100.180.26.106 255.255.255.0 <br>
duplex auto <br>
speed auto <br>
crypto map openswan <br>
! <br>
! <br>
ip forward-protocol nd <br>
! <br>
no ip http server <br>
no ip http secure-server <br>
! <br>
! <br>
access-list 100 permit ip 10.0.0.0 0.0.0.255 11.0.0.0 0.0.0.255 <br>
! <br>
! <br>
! <br>
! <br>
! <br>
! <br>
control-plane <br>
! <br>
! <br>
! <br>
line con 0 <br>
line aux 0 <br>
line vty 0 4 <br>
login <br>
! <br>
scheduler allocate 20000 1000 <br>
end <br>
<br>
on cisco the result of show crypto isakmp sa detail <br>
=========================================== <br>
Router#show crypto isakmp sa detail <br>
Codes: C - IKE configuration mode, D - Dead Peer Detection <br>
K - Keepalives, N - NAT-traversal <br>
T - cTCP encapsulation, X - IKE Extended Authentication <br>
psk - Preshared key, rsig - RSA signature <br>
renc - RSA encryption <br>
IPv4 Crypto ISAKMP SA <br>
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap. <br>
1004 100.180.26.106 100.180.26.105 ACTIVE 3des md5 psk 2 00:19:39 <br>
Engine-id:Conn-id = SW:4 <br>
IPv6 Crypto ISAKMP SA <br>
<br>
on cisco the result of show crypto ipsec sa <br>
==================================== <br>
Router#show crypto ipsec sa <br>
interface: GigabitEthernet0/1 <br>
Crypto map tag: openswan, local addr 100.180.26.106 <br>
protected vrf: (none) <br>
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0) <br>
remote ident (addr/mask/prot/port): (11.0.0.0/255.255.255.0/0/0) <br>
current_peer 100.180.26.105 port 500 <br>
PERMIT, flags={origin_is_acl,} <br>
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 <br>
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <br>
#pkts compressed: 0, #pkts decompressed: 0 <br>
#pkts not compressed: 0, #pkts compr. failed: 0 <br>
#pkts not decompressed: 0, #pkts decompress failed: 0 <br>
#send errors 0, #recv errors 0 <br>
local crypto endpt.: 100.180.26.106, remote crypto endpt.: 100.180.26.105
<br>
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1 <br>
current outbound spi: 0x0(0) <br>
PFS (Y/N): N, DH group: none <br>
inbound esp sas: <br>
inbound ah sas: <br>
inbound pcp sas: <br>
outbound esp sas: <br>
outbound ah sas: <br>
outbound pcp sas: <br>
<br>
the software and os versions <br>
======================== <br>
-linux: xubuntu 10.10 <br>
# uname --a <br>
Linux sellin-HP-Compaq-dc7100-SFF-DX878AV 2.6.35-22-generic #33-Ubuntu
SMP Sun Sep 19 20:34:50 UTC 2010 i686 GNU/Linux <br>
-openswan: 2.6.26+dfsg-1 <br>
-Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.0(1)M4,
RELEASE SOFTWARE (fc1) <br>
<br>
Can you help me please. <br>
regards, <br>
<br>
Maurice Sellin <br>
DCNS Ingenierie Navires Armes <br>
(33) 02 97 12 23 31 <br>
<br>
Pensez à l'environnement : avez-vous besoin d'imprimer ce message ? <br>
<br>
<br>
Think environment : Do you need to print message ? <br>
<br>
<br>
. <br>
<br>
<br>
Ce courrier électronique, et éventuellement ses pièces jointes, peuvent
contenir des informations confidentielles et/ou personnelles et a
été envoyé uniquement à l'usage de la personne ou de l'entité citée
ci-dessus. Si vous receviez ce courrier électronique par erreur, merci
de bien vouloir en avertir l'expéditeur immédiatement par la réponse en
retour à ce courrier et effacer l'original et détruire toute copie
enregistrée dans un ordinateur, ou imprimée ou encore sauvegardée sur un
disque . Toute revue, retransmission ou toute autre forme d'utilisation
de ce courrier électronique par toute autre personne que le destinataire
prévue est strictement interdite. <br>
<br>
<br>
L'internet ne permettant pas d'assurer l'intégrité de ce message, l'expéditeur
décline toute responsabilité au cas où il aurait été intercepté ou modifié
par quiconque. <br>
<br>
<br>
This e-mail and possibly any attachment may contain confidential and/or
privileged information and is intended only for the use of the individual
or entity named above. If you have received it in error, please advise
the sender immediately by reply e-mail and delete and destroy all
copies including all copies stored in the recipient's computer, printed
or saved to disk. . Any review , retransmission, or further use of this
e-mail by persons or entities other than the intended recipient is strictly
prohibited. <br>
<br>
<br>
Because of the nature of the Internet the sender is not in a position to
ensure the integrity of this message, therefore the sender disclaims any
liability whatsoever, in the event of this message having been intercepted
and/or altered. <br>
_______________________________________________<br>
Users@openswan.org<br>
http://lists.openswan.org/mailman/listinfo/users<br>
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>
Building and Integrating Virtual Private Networks with Openswan: <br>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>
_______________________________________________<br>
Users@openswan.org<br>
http://lists.openswan.org/mailman/listinfo/users<br>
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>
Building and Integrating Virtual Private Networks with Openswan: <br>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>
</tt></font>
<br>