[Openswan Users] OpenSwan and Cisco. connection fails

lars lars at hfk-bremen.de
Mon Jul 11 13:56:31 CEST 2005


I have an OpenSwan Gateway (based on Debian sarge) that works well when 
I am establishing connections to another (similar) openswan-box.

- Openswan was both self compiled 2.3.1 and Debians OpenSwan form 
apt-get (testing).
kernel is a 2.6.11 with the parameters necessary for ipsec:

Jul 11 10:29:39 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul 11 10:29:39 localhost pluto[4052]: Starting Pluto (Openswan Version 
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jul 11 10:29:39 localhost pluto[4052]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Jul 11 10:29:39 localhost pluto[4052]: ike_alg_register_enc(): 
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 11 10:29:39 localhost pluto[4052]: Using Linux 2.6 IPsec interface 

When trying to build a tunnel between a cisco 3600 and the OpenSwanbox 
the connections always hangs in phase 1 with this errormessage:

no suitable connection for peer ''
Jul 11 11:06:47 localhost pluto[5468]: "remote" #1: sending encrypted 
notification INVALID_ID_INFORMATION to x.x.x.x:500

this happens when a client with the IP sets an 
icmp-message to one of our subnetadresses.

- my ipsec.conf is:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
         # klipsdebug=none

conn remote
         # rightsubnetwithin=

# I tried different subnetdeclarations - including rightsubnetwithin - 
without success


include /etc/ipsec.d/examples/no_oe.conf

- the szenario is:

our subnet 	=


internal IP:
external IP:


internal IP:
external IP:




external IP: x.x.x.x
S-Nat -IP:

the remote subnet

= I don not know much about it. everything should be natted via

now a client with situated in the remote subnet tries to 
connect to, let´s say,; our internal router switches this 
address to

the tunnel isnt building between the cisco-box and our openswan-box.

I have sat up another openswan-box for testing proposal with the 
external IP and an internal SNAT-address

with this machine I can build the tunnel and connect from a client f. 
ex. to

so it should not be a problem of the structure, the firewall or so.

the cisco´s admin has tried to set up a testing tunnel with openswan 
and his cisco - he is getting the same error message.

I think it must be something with the routing from the remote client; 
my openswan-box won´t build a connection to the peer with the IP I was unfortunately not able to find the right settings 
in the ipsec.conf. I tried it with rightsubnetwithin, with other 
subnetmasks - nothing worked :-(

anyone a suggest...?!

thanx a lot in advance!



More information about the Users mailing list