[Openswan Users] IKE / ESP

David Prestwich dprestwich at pacsim.com
Sun Nov 21 06:40:24 CET 2004


Ted Kaczmarek wrote:

>On Sat, 2004-11-20 at 09:09 -0800, David Prestwich wrote:
>  
>
>>David Prestwich wrote:
>>
>>    
>>
>>>What do I set the ike and esp values to for Openswan when the other 
>>>end is a cisco concentrator?  I'm failing on the second proposal and 
>>>believe it has to do with my settings.
>>>
>>>###Cisco specs ###
>>>1. Peer IP address - X.X.X.X
>>>2. Preshared Key - as discussed
>>>3. IKE proposal -- proposed
>>>Authentication Mode - preshare
>>>Authentication Algorithm- SHA/HMAC
>>>Encryption Algorithm - 3DES-168
>>>Diffie-Hellman Group- group 2
>>>Data Lifetime - 10000 kilobytes (KB).
>>>Time Lifetime - 86400 Sec
>>>4. IPSec SA -- proposed
>>>Authentication Algorithm - ESP/SHA/HMAC-160
>>>Encryption Algorithm - 3DES 168
>>>Encapsulation Mode - tunnel
>>>Lifetime Measurement - both (data/time)
>>>data lifetime - 10000 kilobytes (KB)
>>>time lifetime - 28800 seconds
>>>
>>>I've only done the 3DES-md5 one - not sure about the settings for sha
>>>_______________________________________________
>>>Users mailing list
>>>      
>>>
>
>You shouldn't need to sha, unless your concentator has some bugs. I know
>in a Pix you can do some per peer setting, maybe the concentrator is the
>same. 
>
>Example config for Openswan to Pix
>
>conn pix515
>        left=Openswans external IP
>        leftsubnet=What subnet behind openswan you want encapsulated
>        leftnexthop=%defaultroute
>        right=Cisco Concentrators ipsec interface
>        rightnexthop=Concentrator def gateway, should not be needed
>        rightsubnet=subnet behind concentrator you want encapsulated
>        authby=secret
>        keylife=1h
>        auto=start
>
>The left and right MUST match the proposal of the concentrator.
>
>access-list 100 permit ip "subnet behind concentrator you want
>encapsulated" ip "subnet behind openswan you want encapsulated"
>
>This is the transform that works fine on a Pix.
>
>crypto ipsec transform-set esp-3d-esp-md5-hma esp-3des esp-md5-hmac
>
>This is the policy the Pix grabs for this connection
>
>isakmp policy 2 authentication pre-share
>isakmp policy 2 encryption 3des
>isakmp policy 2 hash md5
>isakmp policy 2 group 2
>isakmp policy 2 lifetime 86400
>
>
>
>
>Ted
>
>
>
>  
>
I would really like to just change the Cisco Concentrator to MD5 - but 
it's not my firewall and I have no control over it.  I just know that 
I'm having no luck on the second proposal.


More information about the Users mailing list