<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Rescued from the Spam bucket. Please remember to register to the list before posting to it.<br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="color: rgb(127, 127, 127); "><b>From: </b></span>Sury Bu <<a href="mailto:bxb@ewell.cc">bxb@ewell.cc</a>></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>How to configure leftprotoport in openswan to allow more arguments</b><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">21 October, 2012 5:57:50 AM EDT<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(127, 127, 127, 1.0);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br></span></div><br><br>
<meta http-equiv="content-type" content="text/html; charset=GB2312">
<div bgcolor="#FFFFFF" text="#000000">
Hi, All<br>
<br>
I want to setup a IPSec site to site VPN between cisco ASA5510 and
openswan on CentOS 5.6 x86_64.<br>
<br>
Main mode SA created fine, but Quick mode has some problems. Follow
is the information appeared on console.<br>
<br>
[root@www ipsec.d]# ipsec auto --up ewelltouh<br>
104 "ewelltouh" #232: STATE_MAIN_I1: initiate<br>
003 "ewelltouh" #232: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106<br>
003 "ewelltouh" #232: ignoring Vendor ID payload [FRAGMENTATION
c0000000]<br>
106 "ewelltouh" #232: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "ewelltouh" #232: received Vendor ID payload [Cisco-Unity]<br>
003 "ewelltouh" #232: received Vendor ID payload [XAUTH]<br>
003 "ewelltouh" #232: ignoring unknown Vendor ID payload
[a08969c77ff5cd61665e49a075633fa4]<br>
003 "ewelltouh" #232: ignoring Vendor ID payload [Cisco VPN 3000
Series]<br>
003 "ewelltouh" #232: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected<br>
108 "ewelltouh" #232: STATE_MAIN_I3: sent MI3, expecting MR3<br>
003 "ewelltouh" #232: received Vendor ID payload [Dead Peer
Detection]<br>
004 "ewelltouh" #232: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}<br>
117 "ewelltouh" #233: STATE_QUICK_I1: initiate<br>
010 "ewelltouh" #233: STATE_QUICK_I1: retransmission; will wait 20s
for response<br>
010 "ewelltouh" #233: STATE_QUICK_I1: retransmission; will wait 40s
for response<br>
031 "ewelltouh" #233: max number of retransmissions (2) reached
STATE_QUICK_I1.<font color="#ff0000"><i>No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal</i></font><br>
000 "ewelltouh" #233: starting keying attempt 2 of an unlimited
number, but releasing whack<br>
<br>
And here is my ewelltouh connection's configuration file:<br>
<br>
conn ewelltouh<br>
type=tunnel<br>
authby=secret<br>
left=[CentOS Public IP Address]<br>
leftsubnet=172.16.66.254/32<br>
leftnexthop=[CentOS Public IP Address]<br>
leftprotoport=icmp<br>
leftsourceip=172.16.66.254<br>
right=[ASA5510 Public IP Address]<br>
rightsubnet=192.168.248.78/32<br>
rightnexthop=%defaultroute<br>
rightprotoport=icmp<br>
ike=aes256-sha1;modp1024<br>
ikelifetime=8h<br>
phase2=esp<br>
phase2alg=aes256-null,aes256-sha1,aes256-md5,aes-null,aes-sha1,aes128-null,aes128-sha1<br>
salifetime=1h<br>
<br>
The ASA5510 side tell me there is no HMAC used(), only use
encryption AES 256 on ESP.<br>
<br>
I have post a topic on Cisco support, they tell me ESP can not use
HMAC also it is not recommend.<br>
<br>
So I think I should use aes256-null to match this way. <br>
<font color="#ff0000"><br>
My question is does leftprotoport arguments will used in proposal?
And there arguments must matched each side? </font><br>
<br>
And remote side(ASA5510) allow tcp port 80 and icmp. <font color="#ff0000">What is the leftprotoport configure format</font>
that I can let leftprotoport allow tcp port 80 and icmp in my CentOS
side?<br>
<br>
Thanks,<br>
Sury Bu<br>
<pre class="moz-signature" cols="72"></pre>
</div>
<br><br></div></div><br></body></html>