[Openswan Users] IKE / ESP
Ted Kaczmarek
tedkaz at optonline.net
Sat Nov 20 15:31:14 CET 2004
On Sat, 2004-11-20 at 09:09 -0800, David Prestwich wrote:
> David Prestwich wrote:
>
> > What do I set the ike and esp values to for Openswan when the other
> > end is a cisco concentrator? I'm failing on the second proposal and
> > believe it has to do with my settings.
> >
> > ###Cisco specs ###
> > 1. Peer IP address - X.X.X.X
> > 2. Preshared Key - as discussed
> > 3. IKE proposal -- proposed
> > Authentication Mode - preshare
> > Authentication Algorithm- SHA/HMAC
> > Encryption Algorithm - 3DES-168
> > Diffie-Hellman Group- group 2
> > Data Lifetime - 10000 kilobytes (KB).
> > Time Lifetime - 86400 Sec
> > 4. IPSec SA -- proposed
> > Authentication Algorithm - ESP/SHA/HMAC-160
> > Encryption Algorithm - 3DES 168
> > Encapsulation Mode - tunnel
> > Lifetime Measurement - both (data/time)
> > data lifetime - 10000 kilobytes (KB)
> > time lifetime - 28800 seconds
> >
> > I've only done the 3DES-md5 one - not sure about the settings for sha
> > _______________________________________________
> > Users mailing list
You shouldn't need to sha, unless your concentator has some bugs. I know
in a Pix you can do some per peer setting, maybe the concentrator is the
same.
Example config for Openswan to Pix
conn pix515
left=Openswans external IP
leftsubnet=What subnet behind openswan you want encapsulated
leftnexthop=%defaultroute
right=Cisco Concentrators ipsec interface
rightnexthop=Concentrator def gateway, should not be needed
rightsubnet=subnet behind concentrator you want encapsulated
authby=secret
keylife=1h
auto=start
The left and right MUST match the proposal of the concentrator.
access-list 100 permit ip "subnet behind concentrator you want
encapsulated" ip "subnet behind openswan you want encapsulated"
This is the transform that works fine on a Pix.
crypto ipsec transform-set esp-3d-esp-md5-hma esp-3des esp-md5-hmac
This is the policy the Pix grabs for this connection
isakmp policy 2 authentication pre-share
isakmp policy 2 encryption 3des
isakmp policy 2 hash md5
isakmp policy 2 group 2
isakmp policy 2 lifetime 86400
Ted
More information about the Users
mailing list