[Openswan Users] CISCO heartburn
Ted Kaczmarek
tedkaz at optonline.net
Sat Jan 29 07:40:29 CET 2005
On Fri, 2005-01-28 at 16:21 -0800, Ryley Breiddal wrote:
> Jeff Herring wrote:
> [snip]
> > # defaults for subsequent connection descriptions
> > conn %default
> > # How persistent to be in (re)keying negotiations (0 means
> > very). keyingtries=0
> > # RSA authentication with keys from DNS.
> > keylife=8h
> > ikelifetime=8h
> > rekeymargin=1m
> > rekeyfuzz=0%
> > right=xxx.xxx.xxx.xxx <- hidden actual values are in file
> > rightnexthop=xxx.xxx.xxx.xxx <- hidden actual values are in
> > file auth=esp
> > esp=3des-md5-96
> > disablearrivalcheck=no
> >
> >
> > conn kilb-tun
> > also=kilbcommon
> > type=tunnel
> > leftsubnet=172.17.18.0/24
> > rightsubnet=10.100.0.0/16
> > auto=add
> >
> > conn kilbcommon
> > left=216.12.345.678
> > leftupdown=/usr/local/lib/ipsec/ipsecupdown
> > #
> > authby=secret
> > auth=esp
> > compress=no
> > esp=3des-md5-96
> > pfs=no
> >
> [snip]
> > Anyone...I'm at a total loss...What's broken?
>
> Jeff, are you sure that the Cisco gear is set to md5? Specifically, does it
> have these lines set for your policy:
>
> isakmp policy <#> hash md5
> isakmp policy <#> group 2
>
> I saw the same error as you're seeing very recently because the two sides
> did not have matching settings on this.
>
> You might check out this page for some help too (if you haven't seen it):
> http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html
>
> You didn't specify what type of Cisco gear you were working with or what
> version it is, that might be useful if the above doesn't work.
>
> Regards,
>
> Ryley Breiddal
> PresiNET Systems
>
Also try setting no xauth and no config mode in the Cisco,
Ted
More information about the Users
mailing list