[Openswan Users] Problem connecting Openswan to Cisco Pix 515

Chris Godfrey chris.godfrey at hanston.co.uk
Mon Jul 11 18:19:15 CEST 2005

This is my first post so go easy on me!

We are currently experiencing problems getting a VPN tunnel established,
due to the following error;

"protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"

Have done lots of googling and it seems that this is due to Cisco not
adhering to the RFCs on what payloads can be accepted. I have also read
that the developers of Openswan are not willing to make allowances for
this since it would be deviating from the RFCs. Fair enough, but there
must be a way around this somehow.

I know I'm not the first person to experience this problem, yet the
fixes I have tried so far haven't worked, so I'm wondering if there's
anything else that can be done. Right now getting the other side to
patch up their pix is not an option, but they are up to version 6.31
anyway which I'm lead to believe is quite recent.

I have tried setting nat_traversal=yes in ipsec.conf but this didn't
work. Some threads I read suggested using proto

I've also tried playing around with the 'rightprotoport=17/%any' values
in ipsec.conf but got nothing good so far, either my syntax is picked up
as wrong, it tells me I can't use wildcards to start a connection, or I
get the same error message reported above.

We're using Openswan 2.1.5 on the 2.4.28 kernel.

One thread I saw suggested altering the code of openswan to force it to
accept 17/0. I'm a total linux newbie and I'm not confident that I could
modify + recompile the code without causing some kind of horrific
trainwreck on my currently functioning connections.

Please can someone help me, my brain is actually hurting after spending
a day wading through wiki pages, ancient email threads and long-dead
pages in google's cache...


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Paul Wouters
Sent: 11 July 2005 14:06
To: Jacques Valot
Cc: users at openswan.org
Subject: Re: [Openswan Users] How to see the outgoing decrypted packets
with kernel 2.6 ?

On Mon, 11 Jul 2005, Jacques Valot wrote:

> My first question is :
> How to use klips module automaticaly after a reboot of the system ?

You might be able to tweak this using /etc/modprobe.conf? Or else you
can delete the netkey modules. Openswan does not rmmod netkey modules.

> 2.)
> For 2.3.0 version, I think KLIPS for 2.6 was experimental.
> Is the same thing for 2.3.1 version and could you tellme if it's a 
> problem ?

AFAIK, there are still problems. If using a kernel.org linux kernel, you
will have the best result. Vendor kernels often have patches that might
clash. For instance, all redhat kernels crash with klips currently.

Users mailing list
Users at openswan.org http://lists.openswan.org/mailman/listinfo/users

More information about the Users mailing list