[Openswan Users] Problem connecting Openswan to Cisco Pix 515

Chris Godfrey chris.godfrey at hanston.co.uk
Wed Jul 13 10:55:17 CEST 2005

Thanks for the reply. I would love to upgrade but unfortunately the
machine is running fedora core 1, and I've not received permission to
take it down for the amount of time I'd need to upgrade the OS and

One of our guys here hacked the source of ipsec_doi.c in freeswan when
this problem cropped up before, he's suggested I give this a try as a
temporary measure. I'm going to attempt this, and if/when it fails (such
optimism!) I will justify the downtime to perform a proper upgrade.

Thanks again Paul for the quick reply, and thanks also to Jacco for
taking the time to help out.


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: 11 July 2005 18:59
To: Chris Godfrey
Cc: users at openswan.org
Subject: Re: [Openswan Users] Problem connecting Openswan to Cisco Pix

On Mon, 11 Jul 2005, Chris Godfrey wrote:

> "protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 
> 17/0"
> Have done lots of googling and it seems that this is due to Cisco not 
> adhering to the RFCs on what payloads can be accepted. I have also 
> read that the developers of Openswan are not willing to make 
> allowances for this since it would be deviating from the RFCs. Fair 
> enough, but there must be a way around this somehow.

You must be running an old version of Openswan.

> I've also tried playing around with the 'rightprotoport=17/%any' 
> values in ipsec.conf but got nothing good so far, either my syntax is 
> picked up as wrong, it tells me I can't use wildcards to start a 
> connection, or I get the same error message reported above.

That means your version of openswan is too old.

> We're using Openswan 2.1.5 on the 2.4.28 kernel.

Please upgrade to openswan-2.3.x and use rightprotoport=17/%any


More information about the Users mailing list