[Openswan Users] Connection to Cisco VPN concentrator, working?

Bas Rijniersce bas at brijn.nu
Wed Dec 21 20:14:04 CET 2005


Hi,

I have a Fedora Core 4 box here that I want to connect to a Cisco 3005
Concentrator. With a bit of Googling I came to the following setup:
-----------------------------------
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        nat_traversal=no
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=all
        uniqueids=yes
        plutowait=no

conn wmg
        type=           tunnel
        keyingtries=    0
        authby=         secret
        left=           <Our IP>
        leftnexthop=    <Our GW>
        leftsubnet=     10.20.10.0/24
        right=          <Their IP>
        rightnexthop=   <Their GW>
        rightsubnet=    172.16.7.230/32
        ikelifetime=    8h
        pfs=            no
        auto=           add
-----------------------------------

Then I run
-----------------------------------
[root at 204 ~]# ipsec auto --verbose --up wmg
002 "wmg" #1: initiating Main Mode
104 "wmg" #1: STATE_MAIN_I1: initiate
003 "wmg" #1: ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7de7f00d6c2d3c0000000]
002 "wmg" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "wmg" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "wmg" #1: received Vendor ID payload [Cisco-Unity]
003 "wmg" #1: received Vendor ID payload [XAUTH]
003 "wmg" #1: ignoring unknown Vendor ID payload
[75c843c3d8be56dab34a69060e1ff9bd]
003 "wmg" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
002 "wmg" #1: I did not send a certificate because I do not have one.
002 "wmg" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "wmg" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "wmg" #1: received Vendor ID payload [Dead Peer Detection]
002 "wmg" #1: Main mode peer ID is ID_IPV4_ADDR: '<Their IP>'
002 "wmg" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "wmg" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
002 "wmg" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
117 "wmg" #2: STATE_QUICK_I1: initiate
002 "wmg" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "wmg" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3dcc94b3
<0x82e50861 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
-----------------------------------

As far as I can tell the VPN should be up now?

But if I check with ifconfig, I don't see an ipsec0. A "ls /dev/ipsec*" shows
there are not ipsec devices at all??? As a result there is no route, and I
can't test the connection.

Do I manually have to create the /dev/ipsec devices? Google didn't reveal any
problems/tips for this.
Or are they created by OpenSwan when needed, if yes, why don't they show?

Thank you for your time!
Bas



More information about the Users mailing list