<div dir="ltr">Thank You Nick<div><br></div><div>The Cisco is running DES, I have requested them to use 3DES. </div><div><br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 11, 2015 at 4:38 PM, Nick Howitt <span dir="ltr"><<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Is the Cisco really running with DES and not 3DES? If so, I believe DES has been blocked in Openswan as it is too insecure. You can try changing your ike and esp parameters in your conn, but I don't think it will work.<br>
<br>
Nick<div><div class="h5"><br>
<br>
On 2015-02-11 09:28, Afzal Khan wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
Hi<br>
<br>
I am trying to connect to a cisco ASA 5520 at a client location. My<br>
server runs centos with openswan<br>
<br>
The config provided by the client is:<br>
<br>
Phase 1 Properties:<br>
Authentication Method* Pre-Shared Secret<br>
Encryption Scheme IKE<br>
perfect fwd secrecy – IKE DH GROUP2<br>
Encryption Algorithm – IKE DES<br>
Hashing Algorithm – IKE SHA<br>
Renegotiate IKE SA time 86400 seconds<br>
<br>
Phase 2 Properties:<br>
Transform-set (IPSEC Protocol) ESP<br>
Perfect Fwd Secrecy - IPSEC DH GROUP2<br>
Encryption Algorithm - IPSEC ESP-DES<br>
Hashing Algorithm - IPSEC ESP-SHA-HMAC<br>
Renegotiate IPSEC SA time 86400 seconds<br>
<br>
My config:<br>
<br>
conn xyz<br>
type=tunnel<br>
authby=secret<br>
auth=esp<br>
ikelifetime=86400s<br>
keylife=86400s<br>
esp=3des-sha1<br>
ike=3des-sha1-modp1024<br>
keyexchange=ike<br>
pfs=yes<br>
#local - centos<br>
left=198.xxx.xxx.192<br>
leftsourceip=192.168.21.101<br>
#remote - cisco<br>
right=121.xxx.xxx.244<br></div></div>
rightsubnet=<a href="http://172.19.16.0/24" target="_blank">172.19.16.0/24</a> [1]<span class=""><br>
<br>
auto=start<br>
<br>
/var/log/messages:<br>
<br>
Feb 11 14:28:37 host ipsec__plutorun: 002 added connection description<br>
"xyz"<br>
Feb 11 14:28:37 host ipsec__plutorun: 104 "xyz" #1: STATE_MAIN_I1:<br>
initiate<br>
<br>
/var/log/secure:<br>
<br>
Feb 11 14:28:37 host pluto[26936]: added connection description "xyz"<br>
Feb 11 14:28:37 host pluto[26936]: loading secrets from<br>
"/etc/ipsec.d/xyz.secrets"<br>
Feb 11 14:28:37 host pluto[26936]: "xyz" #1: initiating Main Mode<br>
Feb 11 14:28:37 host pluto[26936]: "xyz" #1: ignoring informational<br>
payload, type NO_PROPOSAL_CHOSEN msgid=00000000<br>
Feb 11 14:28:37 host pluto[26936]: "xyz" #1: received and ignored<br>
informational message<br>
<br>
iptables -L:<br>
<br>
Chain INPUT (policy DROP)<br>
target prot opt source destination<br></span>
ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
state RELATED,ESTABLISHED<br>
...<br>
ACCEPT all -- 127.0.0.1 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
icmp_packets icmp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
<br>
ACCEPT esp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
udp dpt:500<br>
ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
udp dpt:4500<br>
DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<span class=""><br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination<br>
<br>
Chain OUTPUT (policy DROP)<br>
target prot opt source destination<br></span>
ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
state RELATED,ESTABLISHED<br>
...<br>
ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] 127.0.0.1<br>
icmp_packets icmp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
<br>
ACCEPT esp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
udp dpt:500<br>
ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
udp dpt:4500<br>
...<br>
ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<br>
tcp dpt:444<br>
LOG_DROP all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2] <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> [2]<span class=""><br>
<br>
What am i doing wrong here?<br>
<br>
Please help me with this<br>
<br>
Thank You<br>
<br></span>
Links:<br>
------<br>
[1] <a href="http://172.19.16.0/24" target="_blank">http://172.19.16.0/24</a><br>
[2] <a href="http://0.0.0.0/0" target="_blank">http://0.0.0.0/0</a><br>
<br>
______________________________<u></u>_________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/<u></u>mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/<u></u>38387/IPsec-for-Linux-made-<u></u>easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/<u></u>product/1904811256/104-<u></u>3099591-2946327?n=283155</a><br>
</blockquote>
</blockquote></div><br></div></div></div>