[Openswan Users] Connection to Cisco VPN concentrator, working?
Bas Rijniersce
bas at brijn.nu
Wed Dec 21 20:14:04 CET 2005
Hi,
I have a Fedora Core 4 box here that I want to connect to a Cisco 3005
Concentrator. With a bit of Googling I came to the following setup:
-----------------------------------
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=no
interfaces=%defaultroute
klipsdebug=all
plutodebug=all
uniqueids=yes
plutowait=no
conn wmg
type= tunnel
keyingtries= 0
authby= secret
left= <Our IP>
leftnexthop= <Our GW>
leftsubnet= 10.20.10.0/24
right= <Their IP>
rightnexthop= <Their GW>
rightsubnet= 172.16.7.230/32
ikelifetime= 8h
pfs= no
auto= add
-----------------------------------
Then I run
-----------------------------------
[root at 204 ~]# ipsec auto --verbose --up wmg
002 "wmg" #1: initiating Main Mode
104 "wmg" #1: STATE_MAIN_I1: initiate
003 "wmg" #1: ignoring unknown Vendor ID payload
[4048b7d56ebce88525e7de7f00d6c2d3c0000000]
002 "wmg" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "wmg" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "wmg" #1: received Vendor ID payload [Cisco-Unity]
003 "wmg" #1: received Vendor ID payload [XAUTH]
003 "wmg" #1: ignoring unknown Vendor ID payload
[75c843c3d8be56dab34a69060e1ff9bd]
003 "wmg" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
002 "wmg" #1: I did not send a certificate because I do not have one.
002 "wmg" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "wmg" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "wmg" #1: received Vendor ID payload [Dead Peer Detection]
002 "wmg" #1: Main mode peer ID is ID_IPV4_ADDR: '<Their IP>'
002 "wmg" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "wmg" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
002 "wmg" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
117 "wmg" #2: STATE_QUICK_I1: initiate
002 "wmg" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "wmg" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3dcc94b3
<0x82e50861 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
-----------------------------------
As far as I can tell the VPN should be up now?
But if I check with ifconfig, I don't see an ipsec0. A "ls /dev/ipsec*" shows
there are not ipsec devices at all??? As a result there is no route, and I
can't test the connection.
Do I manually have to create the /dev/ipsec devices? Google didn't reveal any
problems/tips for this.
Or are they created by OpenSwan when needed, if yes, why don't they show?
Thank you for your time!
Bas
More information about the Users
mailing list