[Openswan Users] openswan cisco vpn tunnel
Martin Potgieter
martin at isoft.co.za
Tue Mar 16 10:14:48 CET 2004
Hello List,
I am setting up a tunnel between redhat 8 and cisco 1601. Unfortunately
the Cisco image I am using only supports single DES encryption. I know
this is unsecure and I should use 3DES instead but I want to try the DES
encryption until we receive the 3DES image.
Anyway I have compiled Openswan with support for single DES but when I
run debug on the Cisco is seems that Openswan only proposes 3DES
encryption. I am not entirely sure what my "esp=" line should look like
in /etc/ipsec.conf. Any help would be appreciated.
Thanks
--------------------------------------------------------8<--------------------------------------
[root at gw root]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in Openswan's doc/examples file, in the HTML documentation, and online
# at http://www.openswan.org/docs/
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=all
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Don't wait for pluto to complete every plutostart before
continuing
plutowait=no
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# Defaults for all connection descriptions
conn %default
keyingtries=0
disablearrivalcheck=no
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
authby=secret
auto=add
conn tunnel
type= tunnel
left= x.x.x.62
leftsubnet= 192.168.4.0/24
right= y.y.y.230
rightsubnet= 172.16.6.0/24
esp= des-md5
keyexchange= ike
pfs= no
auto= add
authby=secret
--------------------------------------------------------8<--------------------------------------
Cisco debug output showing that only 3DES encryption is being proposed
--------------------------------------------------------8<--------------------------------------
22:31:56: ISAKMP (0:0): received packet from x.x.x.62 dport 500 sport
500 Global (N) NEW SA
22:31:56: ISAKMP: local port 500, remote port 500
22:31:56: ISAKMP: insert sa successfully sa = 346D170
22:31:56: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
22:31:56: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1
22:31:56: ISAKMP (0:1): processing SA payload. message ID = 0
22:31:56: ISAKMP: Looking for a matching key for x.x.x.62 in default :
success
22:31:56: ISAKMP (0:1): found peer pre-shared key matching x.x.x.62
22:31:56: ISAKMP (0:1) local preshared key found
22:31:56: ISAKMP : Scanning profiles for xauth ...
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 0 against priority 5
policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash MD5
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 5
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 5
policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash SHA
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 5
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 2 against priority 5
policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash MD5
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 2
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 3 against priority 5
policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash SHA
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 2
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 4 against priority 5
policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash MD5
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 1
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 5 against priority 5
policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash SHA
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 1
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 0
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 0 against priority
65535 policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash MD5
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 5
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 1 against priority
65535 policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash SHA
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 5
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 2 against priority
65535 policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:56: ISAKMP: hash MD5
22:31:56: ISAKMP: auth pre-share
22:31:56: ISAKMP: default group 2
22:31:56: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:56: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:56: ISAKMP (0:1): Checking ISAKMP transform 3 against priority
65535 policy
22:31:56: ISAKMP: life type in seconds
22:31:56: ISAKMP: life duration (basic) of 3600
22:31:56: ISAKMP: encryption 3DES-CBC
22:31:57: ISAKMP: hash SHA
22:31:57: ISAKMP: auth pre-share
22:31:57: ISAKMP: default group 2
22:31:57: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:57: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:57: ISAKMP (0:1): Checking ISAKMP transform 4 against priority
65535 policy
22:31:57: ISAKMP: life type in seconds
22:31:57: ISAKMP: life duration (basic) of 3600
22:31:57: ISAKMP: encryption 3DES-CBC
22:31:57: ISAKMP: hash MD5
22:31:57: ISAKMP: auth pre-share
22:31:57: ISAKMP: default group 1
22:31:57: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:57: ISAKMP (0:1): atts are not acceptable. Next payload is 3
22:31:57: ISAKMP (0:1): Checking ISAKMP transform 5 against priority
65535 policy
22:31:57: ISAKMP: life type in seconds
22:31:57: ISAKMP: life duration (basic) of 3600
22:31:57: ISAKMP: encryption 3DES-CBC
22:31:57: ISAKMP: hash SHA
22:31:57: ISAKMP: auth pre-share
22:31:57: ISAKMP: default group 1
22:31:57: ISAKMP (0:1): Encryption algorithm offered does not match policy!
22:31:57: ISAKMP (0:1): atts are not acceptable. Next payload is 0
22:31:57: ISAKMP (0:1): no offers accepted!
22:31:57: ISAKMP (0:1): phase 1 SA policy not acceptable! (local
y.y.y.230 remote x.x.x.62)
22:31:57: ISAKMP (0:1): incrementing error counter on sa:
construct_fail_ag_init
22:31:57: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
22:31:57: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1
22:31:57: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
22:31:57: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_READY
22:32:07: ISAKMP (0:1): received packet from x.x.x.62 dport 500 sport
500 Global (R) MM_NO_STATE
22:32:07: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet.
22:32:07: ISAKMP (0:1): retransmitting due to retransmit phase 1
22:32:07: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
22:32:07: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
22:32:07: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1
22:32:07: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
22:32:07: ISAKMP (0:1): sending packet to x.x.x.62 my_port 500 peer_port
500 (R) MM_NO_STATE
22:32:08: ISAKMP (0:1): received packet from x.x.x.62 dport 500 sport
500 Global (R) MM_NO_STATE
22:32:08: ISAKMP (0:1): Unknown Input: state = IKE_READY, major, minor =
IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
22:32:08: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode
failed with peer at x.x.x.62
More information about the Users
mailing list