[Openswan Users] Cisco VPN Concentrator not responding

Luca enz_tn2002 at yahoo.com
Wed Sep 8 15:12:47 CEST 2004 

Hi to all,

I have a Debian 3.0 with kernel 2.4.27 + patch grsecurity and OpenSwan 2.1.5. 
I created a connection with a Cisco Concentrator 3030 and it is established 
successfully with preshared key, but only if from right network start a ping 
on network in the left side. When I start the vpn in tcpdump I see which the 
first packet on port 500 udp 

200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 1 I ident: [|sa] (DF)
200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 1 I ident: [|sa] (DF)
200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 1 I ident: [|sa] (DF)

But the cisco vpn don't responding. Why?

If from network in the rigth side start a ping the vpn go up and I can see in 
the trace this dump:

200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 1 R ident: [|sa] (DF)
201.x.x.x.500 > 200.x.x.x.500: isakmp: phase 1 I ident: [|ke]
83.103.30.170.500 > 201.x.x.x.500: isakmp: phase 1 R ident: [|ke] (DF)
201.x.x.x.500 > 200.x.x.x.500: isakmp: phase 1 I ident[E]: [|id]
200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 1 R ident[E]: [|id] (DF)
201.x.x.x.500 > 200.x.x.x.500: isakmp: phase 2/others I oakley-quick[E]: [|
hash]
200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 2/others R oakley-quick[E]: [|
hash] (DF)
80.205.159.230.500 > 200.x.x.x.500: isakmp: phase 2/others I inf[E]: [|hash]
201.x.x.x.500 > 200.x.x.x.500: isakmp: phase 2/others I inf[E]: [|hash]
200.x.x.x.500 > 201.x.x.x.500: isakmp: phase 2/others R inf[E]: [|hash] (DF)

This is my configuration on OpenSwan

version 2.0 

config setup
    klipsdebug=all
    plutodebug=all
    interfaces=%defaultroute
    uniqueids=yes

conn %default
    keyingtries=0
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%dns
    rightrsasigkey=%dns
conn cisco
    keyingtries=0
    authby=secret
    left=200.x.x.x
    leftnexthop=%direct
    leftsubnet=192.168.0.0/24
    right=201.x.x.x
    rightnexthop=%direct
    rightsubnet=192.168.100.0/24
    #keylife=8h
    #lifetime=8h
    auto=start

#Disable Opportunistic Encryptionn
include /etc/ipsec.d/examples/no_oe.conf

For configuration of Cisco another person follow this link
https://okmaybe.com/~mrroach/Freeswan_Cisco_howto.txt

Thanks for help.
Luca

More information about the Users mailing list