[Openswan Users] OpenSwan and Cisco. connection fails
lars at hfk-bremen.de
Mon Jul 11 13:56:31 CEST 2005
I have an OpenSwan Gateway (based on Debian sarge) that works well when
I am establishing connections to another (similar) openswan-box.
- Openswan was both self compiled 2.3.1 and Debians OpenSwan form
kernel is a 2.6.11 with the parameters necessary for ipsec:
Jul 11 10:29:39 localhost ipsec__plutorun: Starting Pluto subsystem...
Jul 11 10:29:39 localhost pluto: Starting Pluto (Openswan Version
2.2.0 X.509-1.5.4 PLUTO_USES_KEYRR)
Jul 11 10:29:39 localhost pluto: including NAT-Traversal patch
(Version 0.6c) [disabled]
Jul 11 10:29:39 localhost pluto: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 11 10:29:39 localhost pluto: Using Linux 2.6 IPsec interface
When trying to build a tunnel between a cisco 3600 and the OpenSwanbox
the connections always hangs in phase 1 with this errormessage:
no suitable connection for peer '10.232.254.254'
Jul 11 11:06:47 localhost pluto: "remote" #1: sending encrypted
notification INVALID_ID_INFORMATION to x.x.x.x:500
this happens when a client with the IP 10.232.254.254 sets an
icmp-message to one of our subnetadresses.
- my ipsec.conf is:
version 2.0 # conforms to second version of ipsec.conf specification
# I tried different subnetdeclarations - including rightsubnetwithin -
- the szenario is:
our subnet = 192.168.0.0/24
internal IP: 192.168.0.8
external IP: 10.244.3.3
internal IP: 10.244.3.1
external IP: 22.214.171.124
external IP: x.x.x.x
S-Nat -IP: 10.232.100.240
the remote subnet
= I don not know much about it. everything should be natted via
now a client with 10.232.254.254 situated in the remote subnet tries to
connect to, let´s say, 10.244.3.6; our internal router switches this
address to 192.168.0.6.
the tunnel isnt building between the cisco-box and our openswan-box.
I have sat up another openswan-box for testing proposal with the
external IP 126.96.36.199 and an internal SNAT-address 10.232.100.240.
with this machine I can build the tunnel and connect from a client f.
ex. 10.232.100.5 to 10.244.3.6.
so it should not be a problem of the structure, the firewall or so.
the cisco´s admin has tried to set up a testing tunnel with openswan
and his cisco - he is getting the same error message.
I think it must be something with the routing from the remote client;
my openswan-box won´t build a connection to the peer with the IP
10.232.254.254. I was unfortunately not able to find the right settings
in the ipsec.conf. I tried it with rightsubnetwithin, with other
subnetmasks - nothing worked :-(
anyone a suggest...?!
thanx a lot in advance!
More information about the Users