[Openswan Users] Problem connecting Openswan to Cisco Pix 515

Paul Wouters paul at xelerance.com
Mon Jul 11 20:59:11 CEST 2005

On Mon, 11 Jul 2005, Chris Godfrey wrote:

> "protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0"
> Have done lots of googling and it seems that this is due to Cisco not
> adhering to the RFCs on what payloads can be accepted. I have also read
> that the developers of Openswan are not willing to make allowances for
> this since it would be deviating from the RFCs. Fair enough, but there
> must be a way around this somehow.

You must be running an old version of Openswan.

> I've also tried playing around with the 'rightprotoport=17/%any' values
> in ipsec.conf but got nothing good so far, either my syntax is picked up
> as wrong, it tells me I can't use wildcards to start a connection, or I
> get the same error message reported above.

That means your version of openswan is too old.

> We're using Openswan 2.1.5 on the 2.4.28 kernel.

Please upgrade to openswan-2.3.x and use rightprotoport=17/%any


More information about the Users mailing list