[Openswan Users] CISCO heartburn
Lorens Kockum
openswan-users-254 at lists.lorens.org
Sun Jan 30 14:57:04 CET 2005
On Sat, Jan 29, 2005 at 05:33:59PM +0100, Paul Wouters wrote:
> On Fri, 28 Jan 2005, Jeff Herring wrote:
>
> >I've updated to 2.3 / patched a 2.4.29 kernel / I have 30 tunnels working
> >except 2
> >that both have Cisco equipment and this error when connecting...Other
> >Cisco equipment works
> >Other none cisco stuff works...
> >
> >protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> >
> >I've tried...leftprotoport=17/500 & rightprotoport=17/500 with no luck...
>
> Try leftprotoport=17/0 or 17/%any (one of the two was a workaround, the
> other is the
> real solution, but I forgot which is which :)
Sorry, but no. Maybe this worked in Openswan 1, but not in 2.2
or 2.3, as I said earlier this week on this list in two messages
entitled
Re: [Openswan Users] incomplete ISAKMP SA ...
Since nobody replied to my first message, I delved into the
source, and after inspection the place where the error is
generated at the beginning of function decode_peer_id in
openswan-2/programs/pluto/ipsec_doi.c, and comparing the code
in openswan 1 and 2, I concluded that it is necessary and
sufficient to define nat_traversal=yes in the config setup.
I did this, as I said I would in my second message, and had no
further problems.
I did not need leftprotoport or rightprotoport, my tunnel to the
PIX goes up and transports packets using only
type=tunnel
authby=secret
left=xxxx
leftsubnet=xxxx
right=xxxx
rightsubnet=xxxx
auto=start
Maybe needing nat_traversal=yes is justified because of NAT
being set up on the Cisco end?
--
#include <std_disclaim.h> Lorens Kockum
More information about the Users
mailing list