[Openswan Users] Cisco Concentrator Stumped

Eaton, Andy Andy at seas.wustl.edu
Wed Feb 2 19:13:45 CET 2005 

I set out to get a tunnel up from a Debian SG to a Cisco 3030
concentrator several days ago.  The debian machine is running 
kernel 2.6.8 because that is the latest kernel I could compile and get
to work on the box.  Therefore I am also trying to use
klips. I have several issues:
	1.  If I rmmod af_key esp4 ah4 ipcomp, ipsec --version shows I
am using klips but as soon as I start a tunnel or delete a tunnel
I go directly back to netkey.  Documentation says it is unstable in
everything before 2.6.9.
	2.  No matter what I set the debug levels to in ipsec.conf, I
never get any logs in messages or syslog
or anywhere else.
	3.  I am completely stuck at State Main I1.  I realize that it
is posted all over that port 500 needs to be open on the
Debian SG.  I have tested this with nmap from the same vlan that the
3030 is in back to the SG.  500 is open on the SG.
4. I have been bringing up the tunnel as follows:
Ipsec auto --add conc
Ipsec auto --up conc
After the second command, ipsec hangs and doesn't do anything.  I see
the following only if I issue ipsec auto -delete conc:

Debian-Gateway:/# ipsec auto --add conc
Debian-Gateway:/# ipsec auto --up conc -----hangs for forever so ctrl-c
Debian-Gateway:/# ipsec auto --delete conc
003 "conc" #1: ASSERTION FAILED at state.c:308: st->st_suspended_md->st
== st
000 "conc" #1: interface lo/lo ::1
000 "conc" #1: interface lo/lo 127.0.0.1
000 "conc" #1: interface eth0/eth0 24.107.189.229
000 "conc" #1: interface eth2/eth2 192.168.1.254
000 "conc" #1: interface vlan2/vlan2 192.168.2.254
000 "conc" #1: interface vlan3/vlan3 192.168.3.254
000 "conc" #1: interface vlan4/vlan4 192.168.4.254
000 "conc" #1: interface vlan5/vlan5 192.168.5.254
000 "conc" #1: %myid = (none)
000 "conc" #1: debug
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+
pfkey+nattraversal+x509
000 "conc" #1:  
000 "conc" #1: algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8,
keysizemin=64, keysizemax=64
000 "conc" #1: algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 "conc" #1: algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 "conc" #1: algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 "conc" #1: algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 "conc" #1: algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 "conc" #1: algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 "conc" #1: algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 "conc" #1: algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 "conc" #1: algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 "conc" #1: algorithm ESP auth attr: id=251, name=(null),
keysizemin=0, keysizemax=0
000 "conc" #1:  
000 "conc" #1: algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128
000 "conc" #1: algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192
000 "conc" #1: algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 "conc" #1: algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 "conc" #1: algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
bits=1024
000 "conc" #1: algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
bits=1536
000 "conc" #1: algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 "conc" #1: algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 "conc" #1: algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 "conc" #1: algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 "conc" #1: algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000 "conc" #1:  
000 "conc" #1: stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000 "conc" #1:  
000 "conc" #1: "conc":
192.168.5.0/24===24.107.189.229[@24.107.189.229]---24.107.176.1...128.25
2.21.62---128.252.21.15===
128.252.21.0/24; unrouted; eroute owner: #0
000 "conc" #1: "conc":     srcip=unset; dstip=unset
000 "conc" #1: "conc":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "conc" #1: "conc":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
prio: 24,24; interface: eth0; 
000 "conc" #1: "conc":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "conc" #1: "conc":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "conc" #1: "conc":   ESP algorithms loaded: 3_000-1, flags=-strict
000 "conc" #1:  
000 "conc" #1: #1: "conc" STATE_MAIN_I1 (sent MI1, expecting MR1); none
in -1s; nodpd
000 "conc" #1:  

My ipsec.conf looks like:
version 2.0

config setup
        klipsdebug=all
        plutodebug=all
        interfaces="ipsec0=eth0"

conn conc 
        left=24.107.189.229
        leftsubnet=192.168.5.0/24
        leftnexthop=24.107.176.1
        leftid=@24.107.189.229
        right=128.252.21.15
        rightsubnet=128.252.21.0/24
        rightnexthop=128.252.21.62
        rightid=128.252.21.15
        authby=secret
        auto=add

I will say that if I change leftid to something other than what the
concentrator has for this connection it will complain that 
there is no peer group for the session.  Otherwise, I don't see any logs
there at all.  

I would have thought this was going to be a little more straight forward
but maybe not.

Any help appreciate, I have done quite a bit of RTFM'ing so if there is
something else I need to look at let me know.  Most of
the web pages on the site for Cisco are broken links.

Thanks in advance,

Andrew Eaton

More information about the Users mailing list