<br><font size=2 face="sans-serif">Hi,</font>
<br>
<br><font size=2 face="sans-serif">To have a ping response I must set the
cisco ios config as following:</font>
<br>
<br><font size=2 face="sans-serif">ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1</font>
<br>
<br><font size=2 face="sans-serif">where GigabitEthernet0/1 is the public
interface</font>
<br>
<br><font size=2 face="sans-serif">Now, the interoperability between Openswan
and CISCO IOS seems to Ok :)</font>
<br>
<br><font size=2 face="sans-serif">Maurice</font>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Maurice SELLIN <maurice.sellin@dcnsgroup.com></b>
</font>
<br><font size=1 face="sans-serif">Envoyé par : users-bounces@openswan.org</font>
<p><font size=1 face="sans-serif">14/02/2011 16:41</font>
<td width=59%>
<table width=100%>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">A</font></div>
<td><font size=1 face="sans-serif">users@openswan.org</font>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td>
<tr valign=top>
<td>
<div align=right><font size=1 face="sans-serif">Objet</font></div>
<td><font size=1 face="sans-serif">[Openswan Users] IPSEC tunnelling between
OPENSWAN and router CISCO 1900: ping
is not OK</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 face="Courier"><br>
Hello, <br>
<br>
I want to realize a IPSEC tunnel between a linux station and a cisco router
1900. <br>
The initializations phases IKE and ESP are now Ok, but the ping command
doesn't work between the 2 private interfaces (without response)</font><font size=3>
<br>
</font><font size=2 face="Courier"><br>
my network configuration <br>
===================== <br>
10.0.0.1 <--> La.Lb.Lc.Ld <==========> Ra.Rb.Rc.Rd <-->
10.1.0.1 <br>
the linux station has 2 interfaces: 10.0.0.1 and La.Lb.Lc.Ld <br>
the cisco router has 2 interfaces: Ra.Rb.Rc.Rd and 11.0.0.1 </font><font size=3><br>
</font><font size=2 face="Courier"><br>
ipsec.conf</font><font size=3> </font><font size=2 face="Courier"><br>
==========</font><font size=3> </font><font size=2 face="Courier New"><br>
version 2.0 # conforms
to second version of ipsec.conf specification</font><font size=3> </font><font size=2 face="Courier New"><br>
config setup</font><font size=3> </font><font size=2 face="Courier New"><br>
nat_traversal=yes</font><font size=3> </font><font size=2 face="Courier New"><br>
oe=off</font><font size=3> </font><font size=2 face="Courier New"><br>
protostack=netkey</font><font size=3> </font><font size=2 face="Courier New"><br>
nhelpers=0</font><font size=3> </font><font size=2 face="Courier New"><br>
<br>
conn jsat</font><font size=3> </font><font size=2 face="Courier New"><br>
left=La.Lb.Lc.Ld</font><font size=3> </font><font size=2 face="Courier New"><br>
leftsubnet=10.0.0.0/24</font><font size=3>
</font><font size=2 face="Courier New"><br>
leftnexthop=Ra.Rb.Rc.Rd</font><font size=3>
</font><font size=2 face="Courier New"><br>
leftsourceip=10.0.0.1</font><font size=3> <br>
</font><font size=2 face="Courier New"><br>
right=Ra.Rb.Rc.Rd</font><font size=3> </font><font size=2 face="Courier New"><br>
rightsubnet=10.1.0.0/24</font><font size=3>
</font><font size=2 face="Courier New"><br>
rightsourceip=10.1.0.1</font><font size=3>
</font><font size=2 face="Courier New"><br>
rightnexthop=La.Lb.Lc.Ld</font><font size=3>
</font><font size=2 face="Courier New"><br>
<br>
ike=aes128-sha1;modp1024</font><font size=3>
</font><font size=2 face="Courier New"><br>
phase2=esp</font><font size=3> </font><font size=2 face="Courier New"><br>
phase2alg=aes128-sha1;modp1024</font><font size=3>
</font><font size=2 face="Courier New"><br>
<br>
pfs=yes</font><font size=3> </font><font size=2 face="Courier New"><br>
authby=secret</font><font size=3> </font><font size=2 face="Courier New"><br>
auto=add</font><font size=3> <br>
<br>
</font><font size=2 face="Courier"><br>
cisco conf</font><font size=3> </font><font size=2 face="Courier"><br>
==========</font><font size=3> </font><font size=2 face="Courier"><br>
crypto isakmp policy 1</font><font size=3> </font><font size=2 face="Courier"><br>
encr 3des</font><font size=3> </font><font size=2 face="Courier"><br>
hash md5</font><font size=3> </font><font size=2 face="Courier"><br>
authentication pre-share</font><font size=3> </font><font size=2 face="Courier"><br>
group 2</font><font size=3> </font><font size=2 face="Courier"><br>
crypto isakmp key 123456789 address La.Lb.Lc.Ld</font><font size=3> <br>
</font><font size=2 face="Courier"><br>
crypto ipsec transform-set openswan esp-3des esp-md5-hmac</font><font size=3>
</font><font size=2 face="Courier"><br>
!</font><font size=3> </font><font size=2 face="Courier"><br>
crypto map openswan 10 ipsec-isakmp</font><font size=3> </font><font size=2 face="Courier"><br>
set peer La.Lb.Lc.Ld</font><font size=3> </font><font size=2 face="Courier"><br>
set transform-set openswan</font><font size=3> </font><font size=2 face="Courier"><br>
match address 100</font><font size=3> <br>
</font><font size=2 face="Courier"><br>
interface GigabitEthernet0/0</font><font size=3> </font><font size=2 face="Courier"><br>
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$</font><font size=3>
</font><font size=2 face="Courier"><br>
ip address 11.0.0.1 255.255.255.0</font><font size=3> </font><font size=2 face="Courier"><br>
duplex auto</font><font size=3> </font><font size=2 face="Courier"><br>
speed auto</font><font size=3> </font><font size=2 face="Courier"><br>
!</font><font size=3> </font><font size=2 face="Courier"><br>
interface GigabitEthernet0/1</font><font size=3> </font><font size=2 face="Courier"><br>
ip address Ra.Rb.Rc.Rd 255.255.255.0</font><font size=3> </font><font size=2 face="Courier"><br>
duplex auto</font><font size=3> </font><font size=2 face="Courier"><br>
speed auto</font><font size=3> </font><font size=2 face="Courier"><br>
crypto map openswan</font><font size=3> </font><font size=2 face="Courier"><br>
</font><font size=3> </font><font size=2 face="Courier"><br>
access-list 100 permit ip 10.0.0.0 0.0.0.255 10.1.0.0 0.0.0.255</font><font size=3>
</font><font size=2 face="Courier"><br>
access-list 100 permit ip 10.1.0.0 0.0.0.255 10.0.0.0 0.0.0.255</font><font size=3>
<br>
<br>
</font><font size=2 face="Courier"><br>
ipsec auto --verbose --up jsat</font><font size=3> </font><font size=2 face="Courier"><br>
==============================</font><font size=3> </font><font size=2 face="Courier New"><br>
root@sellin-HP-Compaq-dc7100-SFF-DX878AV:~# ipsec auto --verbose --up jsat</font><font size=3>
</font><font size=2 face="Courier New"><br>
002 "jsat" #1: initiating Main Mode</font><font size=3> </font><font size=2 face="Courier New"><br>
104 "jsat" #1: STATE_MAIN_I1: initiate</font><font size=3> </font><font size=2 face="Courier New"><br>
003 "jsat" #1: received Vendor ID payload [RFC 3947] method set
to=109 <br>
002 "jsat" #1: enabling possible NAT-traversal with method 4</font><font size=3>
</font><font size=2 face="Courier New"><br>
002 "jsat" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2</font><font size=3>
</font><font size=2 face="Courier New"><br>
106 "jsat" #1: STATE_MAIN_I2: sent MI2, expecting MR2</font><font size=3>
</font><font size=2 face="Courier New"><br>
003 "jsat" #1: received Vendor ID payload [Cisco-Unity]</font><font size=3>
</font><font size=2 face="Courier New"><br>
003 "jsat" #1: received Vendor ID payload [Dead Peer Detection]</font><font size=3>
</font><font size=2 face="Courier New"><br>
003 "jsat" #1: ignoring unknown Vendor ID payload [05af61d0311e7d9005da93d0c40f6a6e]</font><font size=3>
</font><font size=2 face="Courier New"><br>
003 "jsat" #1: received Vendor ID payload [XAUTH]</font><font size=3>
</font><font size=2 face="Courier New"><br>
003 "jsat" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
no NAT detected</font><font size=3> </font><font size=2 face="Courier New"><br>
002 "jsat" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3</font><font size=3>
</font><font size=2 face="Courier New"><br>
108 "jsat" #1: STATE_MAIN_I3: sent MI3, expecting MR3</font><font size=3>
</font><font size=2 face="Courier New"><br>
002 "jsat" #1: Main mode peer ID is ID_IPV4_ADDR: 'Ra.Rb.Rc.Rd'</font><font size=3>
</font><font size=2 face="Courier New"><br>
002 "jsat" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4</font><font size=3>
</font><font size=2 face="Courier New"><br>
004 "jsat" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1024}</font><font size=3> </font><font size=2 face="Courier New"><br>
002 "jsat" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW
{using isakmp#1 msgid:f5688a1e proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}</font><font size=3>
</font><font size=2 face="Courier New"><br>
117 "jsat" #2: STATE_QUICK_I1: initiate</font><font size=3> </font><font size=2 face="Courier New"><br>
003 "jsat" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
msgid=f5688a1e</font><font size=3> </font><font size=2 face="Courier New"><br>
002 "jsat" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2</font><font size=3> </font><font size=2 face="Courier New"><br>
004 "jsat" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0xd693fe78 <0x411d2446 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=none}</font><font size=3> <br>
<br>
</font><font size=2 face="Courier"><br>
on linux station</font><font size=3> </font><font size=2 face="Courier"><br>
================</font><font size=3> </font><font size=2 face="Courier"><br>
ping -I 10.0.0.1 10.1.0.1</font><font size=3> </font><font size=2 face="Courier"><br>
I can see the ESP protocol message from La.Lb.Lc.Ld to Ra.Rb.Rc.Rd but
not the response Ra.Rb.Rc.Rd to La.Lb.Lc.Ld</font><font size=3> <br>
</font><font size=2 face="Courier"><br>
routing on CISCO</font><font size=3> </font><font size=2 face="Courier"><br>
================</font><font size=3> </font><font size=2 face="Courier"><br>
I think that the link (route ?) between Ra.Rb.Rc.Rd and 10.1.0.1 in not
configured.</font><font size=3> </font><font size=2 face="Courier"><br>
How can I do it on the CISCO.</font><font size=3> <br>
</font><font size=2 face="Courier"><br>
Help me please !</font><font size=3> <br>
</font><font size=2 face="Courier"><br>
Maurice</font><font size=3> </font>
<br><font size=3><tt><br>
</tt></font><font size=3 face="sans-serif"><br>
</font>
<table width=100%>
<tr>
<td width=100%><font size=1 color=#008000>Pensez à l'environnement : avez-vous
besoin d'imprimer ce message ?</font>
<tr>
<td><font size=1 color=#008000>Think environment : Do you need to print
message ?</font>
<tr>
<td><font size=1 color=white>.</font>
<tr>
<td><font size=1>Ce courrier électronique, et éventuellement ses pièces
jointes, peuvent contenir des informations confidentielles et/ou personnelles
et a été envoyé uniquement à l'usage de la personne ou de l'entité
citée ci-dessus. Si vous receviez ce courrier électronique par erreur,
merci de bien vouloir en avertir l'expéditeur immédiatement par la réponse
en retour à ce courrier et effacer l'original et détruire toute copie
enregistrée dans un ordinateur, ou imprimée ou encore sauvegardée sur
un disque . Toute revue, retransmission ou toute autre forme d'utilisation
de ce courrier électronique par toute autre personne que le destinataire
prévue est strictement interdite.</font>
<tr>
<td><font size=1>L'internet ne permettant pas d'assurer l'intégrité de
ce message, l'expéditeur décline toute responsabilité au cas où il
aurait été intercepté ou modifié par quiconque.</font>
<tr>
<td><font size=1>This e-mail and possibly any attachment may contain confidential
and/or privileged information and is intended only for the use of the individual
or entity named above. If you have received it in error, please advise
the sender immediately by reply e-mail and delete and destroy all copies
including all copies stored in the recipient's computer, printed or saved
to disk. . Any review , retransmission, or further use of this e-mail by
persons or entities other than the intended recipient is strictly prohibited.</font>
<tr>
<td><font size=1>Because of the nature of the Internet the sender is not
in a position to ensure the integrity of this message, therefore the sender
disclaims any liability whatsoever, in the event of this message having
been intercepted and/or altered.</font></table>
<p><font size=3 face="sans-serif"><br>
</font><font size=3><tt><br>
</tt></font>
<br><font size=3><tt><br>
</tt></font><font size=2><tt>_______________________________________________<br>
Users@openswan.org<br>
http://lists.openswan.org/mailman/listinfo/users<br>
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br>
Building and Integrating Virtual Private Networks with Openswan: <br>
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br>
</tt></font>
<br>