[Openswan Users] Openswan - Cisco IOS router - Preshared keys

Ahmed Benallegue Ahmed.Benallegue at ecmwf.int
Mon Jun 13 16:50:14 CEST 2005 

Thanx Paul and Prasanna, it looks much better now. I use either 
solutions according to whether the box has been rebboted and Pluto's state.

I face now another problem, which I guess is related to my preshared 
keys configuration.
/etc/ipsec.secrets file contains:
# Preshared Key used for the connection with the cisco router
%any 10.0.0.1: PSK "#######"

In /var/log/messages file:
Jun 13 14:44:18 wan4 pluto[4755]: "cisco" #17: initiating Main Mode
Jun 13 14:44:18 wan4 pluto[4755]: "cisco" #17: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: received Vendor ID 
payload [Cisco-Unity]
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: received Vendor ID 
payload [Dead Peer Detection]
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: ignoring unknown Vendor 
ID payload [df6af52074adfe316642d026f4a5899d]
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: received Vendor ID 
payload [XAUTH]
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: I did not send a 
certificate because I do not have one.
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 13 14:44:19 wan4 pluto[4755]: "cisco" #17: Informational Exchange 
message is invalid because it has a Message ID of 0
Jun 13 14:44:29 wan4 pluto[4755]: "cisco" #17: Informational Exchange 
message is invalid because it has a Message ID of 0
Jun 13 14:44:32 wan4 pluto[4755]: "cisco": terminating SAs using this 
connection
Jun 13 14:44:32 wan4 pluto[4755]: "cisco" #17: deleting state 
(STATE_MAIN_I3)

Cisco's logs:
Jun 13 14:48:17 GMT: ISAKMP (0:3): Old State = IKE_R_MM3  New State = 
IKE_R_MM4
Jun 13 14:48:17 GMT: ISAKMP (0:3): received packet from 10.0.0.1 dport 
500 sport 500 Global (R) MM_KEY_EXCH
Jun 13 14:48:17 GMT: ISAKMP: reserved not zero on ID payload!
Jun 13 14:48:17 GMT: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 
10.0.0.1 failed its sanity check or is malformed

Any idea?

Thanks

Ahmed

Prasanna Harpanhalli wrote:

>
>
> Paul Wouters wrote:
>
>> On Tue, 7 Jun 2005, Ahmed Benallegue wrote:
>>
>>>   # basic configuration
>>>   config setup
>>>           interfaces=%defaultroute
>>>
>>>   conn %default
>>>           authby=secret
>>>           left=10.0.0.1
>>>           leftsubnet=10.0.0.1/32
>>>           leftnexthop=%defaultroute
>>>           keyexchange=ike
>>>           ike=3des-sha-modp1024
>>>
>>>   conn cisco
>>>           right=10.0.0.2
>>>           rightsubnet=10.0.0.2/32
>>>           rightnexthop=%defaultroute
>>>           auto=add
>>
>>
>>> BUT: I have the following error message: "021 no connection named 
>>> "cisco"".
>>
>>
>> /seems your conn does not load. try 'ipsec auto --add cisco' and see 
>> what
>> error you get.
>>
>> Paul
>> _______________________________________________
>
> Hi Ahmed,
>    Also try  changing  "auto=add" entry to  "auto=start"
> then /sbin/service/ipsec restart
>
> hth,
> Prasanna.
>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>  
>

-- 
++------------------++--------------------------------++
++------------------++--------------------------------++
|| Ahmed Benallegue || Network Analyst                ||
|| ECMWF            || e-mail: a.benallegue at ecmwf.int ||
|| Shinfield Park   || Tel:    (+44 118) 9499701      ||
|| Reading RG2 9AX  || Fax:    (+44 118) 9869450      ||
|| United Kingdom   ||                                ||
++------------------++--------------------------------++
++------------------++--------------------------------++

More information about the Users mailing list