[Openswan Users] IKE / ESP

Ted Kaczmarek tedkaz at optonline.net
Sat Nov 20 15:31:14 CET 2004 

On Sat, 2004-11-20 at 09:09 -0800, David Prestwich wrote:
> David Prestwich wrote:
> 
> > What do I set the ike and esp values to for Openswan when the other 
> > end is a cisco concentrator?  I'm failing on the second proposal and 
> > believe it has to do with my settings.
> >
> > ###Cisco specs ###
> > 1. Peer IP address - X.X.X.X
> > 2. Preshared Key - as discussed
> > 3. IKE proposal -- proposed
> > Authentication Mode - preshare
> > Authentication Algorithm- SHA/HMAC
> > Encryption Algorithm - 3DES-168
> > Diffie-Hellman Group- group 2
> > Data Lifetime - 10000 kilobytes (KB).
> > Time Lifetime - 86400 Sec
> > 4. IPSec SA -- proposed
> > Authentication Algorithm - ESP/SHA/HMAC-160
> > Encryption Algorithm - 3DES 168
> > Encapsulation Mode - tunnel
> > Lifetime Measurement - both (data/time)
> > data lifetime - 10000 kilobytes (KB)
> > time lifetime - 28800 seconds
> >
> > I've only done the 3DES-md5 one - not sure about the settings for sha
> > _______________________________________________
> > Users mailing list

You shouldn't need to sha, unless your concentator has some bugs. I know
in a Pix you can do some per peer setting, maybe the concentrator is the
same. 

Example config for Openswan to Pix

conn pix515
        left=Openswans external IP
        leftsubnet=What subnet behind openswan you want encapsulated
        leftnexthop=%defaultroute
        right=Cisco Concentrators ipsec interface
        rightnexthop=Concentrator def gateway, should not be needed
        rightsubnet=subnet behind concentrator you want encapsulated
        authby=secret
        keylife=1h
        auto=start

The left and right MUST match the proposal of the concentrator.

access-list 100 permit ip "subnet behind concentrator you want
encapsulated" ip "subnet behind openswan you want encapsulated"

This is the transform that works fine on a Pix.

crypto ipsec transform-set esp-3d-esp-md5-hma esp-3des esp-md5-hmac

This is the policy the Pix grabs for this connection

isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400




Ted

More information about the Users mailing list