[Openswan Users] CISCO heartburn
Ryley Breiddal
RBreiddal at presinet.com
Fri Jan 28 16:21:41 CET 2005
Jeff Herring wrote:
[snip]
> # defaults for subsequent connection descriptions
> conn %default
> # How persistent to be in (re)keying negotiations (0 means
> very). keyingtries=0
> # RSA authentication with keys from DNS.
> keylife=8h
> ikelifetime=8h
> rekeymargin=1m
> rekeyfuzz=0%
> right=xxx.xxx.xxx.xxx <- hidden actual values are in file
> rightnexthop=xxx.xxx.xxx.xxx <- hidden actual values are in
> file auth=esp
> esp=3des-md5-96
> disablearrivalcheck=no
>
>
> conn kilb-tun
> also=kilbcommon
> type=tunnel
> leftsubnet=172.17.18.0/24
> rightsubnet=10.100.0.0/16
> auto=add
>
> conn kilbcommon
> left=216.12.345.678
> leftupdown=/usr/local/lib/ipsec/ipsecupdown
> #
> authby=secret
> auth=esp
> compress=no
> esp=3des-md5-96
> pfs=no
>
[snip]
> Anyone...I'm at a total loss...What's broken?
Jeff, are you sure that the Cisco gear is set to md5? Specifically, does it
have these lines set for your policy:
isakmp policy <#> hash md5
isakmp policy <#> group 2
I saw the same error as you're seeing very recently because the two sides
did not have matching settings on this.
You might check out this page for some help too (if you haven't seen it):
http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html
You didn't specify what type of Cisco gear you were working with or what
version it is, that might be useful if the above doesn't work.
Regards,
Ryley Breiddal
PresiNET Systems
More information about the Users
mailing list