[Openswan Users] OpenSwan and Cisco. connection fails

Mon Jul 11 13:56:31 CEST 2005

Hi,

I have an OpenSwan Gateway (based on Debian sarge) that works well when 
I am establishing connections to another (similar) openswan-box.

- Openswan was both self compiled 2.3.1 and Debians OpenSwan form 
apt-get (testing).
kernel is a 2.6.11 with the parameters necessary for ipsec:

Jul 11 10:29:39 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul 11 10:29:39 localhost pluto[4052]: Starting Pluto (Openswan Version 
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jul 11 10:29:39 localhost pluto[4052]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Jul 11 10:29:39 localhost pluto[4052]: ike_alg_register_enc(): 
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 11 10:29:39 localhost pluto[4052]: Using Linux 2.6 IPsec interface 
code

When trying to build a tunnel between a cisco 3600 and the OpenSwanbox 
the connections always hangs in phase 1 with this errormessage:

no suitable connection for peer '10.232.254.254'
Jul 11 11:06:47 localhost pluto[5468]: "remote" #1: sending encrypted 
notification INVALID_ID_INFORMATION to x.x.x.x:500

this happens when a client with the IP 10.232.254.254 sets an 
icmp-message to one of our subnetadresses.

- my ipsec.conf is:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
         # klipsdebug=none
         #plutodebug="all"
         plutodebug="none"

conn remote
         left=1.2.3.4
         leftsubnet=10.244.3.0/28
         right=x.x.x.x
         # rightsubnetwithin=10.232.100.240

# I tried different subnetdeclarations - including rightsubnetwithin - 
without success

         rightsubnet=10.232.100.0/24
         authby=secret
         pfs=no
         auto=add

include /etc/ipsec.d/examples/no_oe.conf

- the szenario is:

our subnet 	=	192.168.0.0/24

||
\/

router:
internal IP: 192.168.0.8
external IP: 10.244.3.3

||
\/

OpenSwan-Gateway:
internal IP: 10.244.3.1
external IP: 1.2.3.4

||
\/

Internet

||
\/

Cisco-PIX:
external IP: x.x.x.x
S-Nat -IP: 10.232.100.240

the remote subnet

= I don not know much about it. everything should be natted via 
10.232.100.240

now a client with 10.232.254.254 situated in the remote subnet tries to 
connect to, let´s say, 10.244.3.6; our internal router switches this 
address to 192.168.0.6.

the tunnel isnt building between the cisco-box and our openswan-box.

I have sat up another openswan-box for testing proposal with the 
external IP 1.2.3.5 and an internal SNAT-address 10.232.100.240.

with this machine I can build the tunnel and connect from a client f. 
ex. 10.232.100.5 to 10.244.3.6.

so it should not be a problem of the structure, the firewall or so.

the cisco´s admin has tried to set up a testing tunnel with openswan 
and his cisco - he is getting the same error message.

I think it must be something with the routing from the remote client; 
my openswan-box won´t build a connection to the peer with the IP 
10.232.254.254. I was unfortunately not able to find the right settings 
in the ipsec.conf. I tried it with rightsubnetwithin, with other 
subnetmasks - nothing worked :-(

anyone a suggest...?!

thanx a lot in advance!

greetings

lars