[Openswan Users] openswan and Cisco PIX

Serge Paquin serge at skycomp.ca
Tue Mar 23 15:38:53 CET 2004 

I cannot seem to get IPSec between my Cisco PIX and Openswan working.  Below
I have included my configuration for both Cisco and openswan.  Along with
debug output from Cisco and status output from openswan.

I am using the latest RPMs (Just download .tar.gz 1hour ago and built RPMs
myself) for openswan.

Any suggestions would be appriciated.

Thanks,
Serge.


********* ipsec.conf *********
conn tunnelipsec
        type=tunnel
        # The Linux box
        left=67.71.216.114
        leftnexthop=67.71.216.113
        leftsubnet=192.168.2.0/24
        # The Cisco PIX
        right=207.61.27.102
        rightnexthop=207.61.27.101
        rightsubnet=192.168.7.0/24
        esp=3des-md5-96
        keyexchange=ike
        # Pre-shared keys
        #authby=secret
        # Turn perfect forwarding security off
        pfs=no
        # auto=start will bring this up when you start ipsec
        auto=start

********* ipsec.secrets *********
67.71.216.114 207.61.27.102: PSK "*****"

********* cisco config: *********
nameif ethernet0 outside security0
nameif ethernet1 inside security100
access-list NO-NAT permit ip 192.168.7.0 255.255.255.0 192.168.2.0
255.255.255.0
access-list FREESWAN-VPN permit ip 192.168.7.0 255.255.255.0 192.168.2.0
255.255.255.0
ip address outside 207.61.27.102 255.255.255.252
ip address inside 192.168.7.50 255.255.255.0
nat (inside) 0 access-list NO-NAT
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address FREESWAN-VPN
crypto map mymap 10 set peer 67.71.216.114
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 67.71.216.114 netmask 255.255.255.255 no-xauth
no-c
isakmp identity address
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800



********* ipsec auto --status ***********

000 interface ipsec0/eth1 67.71.216.114
000 %myid = (none)
000 debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfke
y+nattraversal
000
000 "tunnelipsec":
192.168.2.0/24===67.71.216.114---67.71.216.113...207.61.27.101---207.61.27.1
02===192.168.7.0/24; prospective erouted; eroute owner: #0
000 "tunnelipsec":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnelipsec":   policy: RSASIG+ENCRYPT+TUNNEL+UP+lKOD+rKOD; prio:
24,24; interface: eth1;
000 "tunnelipsec":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "tunnelipsec" STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_RETRANSMIT in 20s
000 #1: pending Phase 2 for "tunnelipsec" replacing #0
000


********* Cisco Debug Output *********

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 0 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth RSA sig
ISAKMP:      default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 1 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth RSA sig
ISAKMP:      default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth RSA sig
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 5 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth RSA sig
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 0 against priority 65535 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth RSA sig
ISAKMP:      default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth RSA sig
ISAKMP:      default group 5
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 65535 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash SHA
ISAKMP:      auth RSA sig
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 65535 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 3600
ISAKMP:      encryption 3DES-CBC
ISAKMP:      hash MD5
ISAKMP:      auth RSA sig
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): no offers accepted!
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_TRANS

More information about the Users mailing list