[Openswan Users] Connecting RH9 <-> Cisco

Oliver Schulze L. oliver at samera.com.py
Sat Nov 5 02:40:50 CET 2005


Hi Paul,
here are the results:

Paul Wouters wrote:

>That's not really complete information.
>
>- Prefect Forward Secrecy (PFS): Yes or no?
>  
>
no

>- DH group : 2 or 5 ?
>  
>
2

>- Mode: Main or Aggressive?
>  
>
Main

>- XAUTH/ModeConfig? Yes or No?
>  
>
ModeConfig

>But you can try adding:
>
>	ike=3des-sha1
>	esp=3des-sha1
>	pfs=no (should accept yes too)
>	#aggrmode=yes
>
>Try with and without aggrmode.
>
>Paul
>  
>
With aggresive mode, here is the output:

ipsec auto --verbose --up ipsec01
002 "ipsec01" #1587: initiating Main Mode
104 "ipsec01" #1587: STATE_MAIN_I1: initiate
002 "ipsec01" #1587: transition from state STATE_MAIN_I1 to state 
STATE_MAIN_I2
106 "ipsec01" #1587: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ipsec01" #1587: received Vendor ID payload [Cisco-Unity]
003 "ipsec01" #1587: received Vendor ID payload [Dead Peer Detection]
003 "ipsec01" #1587: ignoring unknown Vendor ID payload 
[56e1df657ba6c134da7f5ed33ba2851c]
003 "ipsec01" #1587: received Vendor ID payload [XAUTH]
002 "ipsec01" #1587: I did not send a certificate because I do not have one.
002 "ipsec01" #1587: transition from state STATE_MAIN_I2 to state 
STATE_MAIN_I3
108 "ipsec01" #1587: STATE_MAIN_I3: sent MI3, expecting MR3
002 "ipsec01" #1587: Main mode peer ID is ID_IPV4_ADDR: '10.200.200.2'
002 "ipsec01" #1587: transition from state STATE_MAIN_I3 to state 
STATE_MAIN_I4
004 "ipsec01" #1587: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1536}
002 "ipsec01" #1588: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using 
isakmp#1587}
117 "ipsec01" #1588: STATE_QUICK_I1: initiate
010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 20s for 
response
010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 40s for 
response

I also have No OE before my conn setup:
include /etc/ipsec.d/examples/no_oe.conf

Without aggresive mode, it does not works either.
I think that the problem is that the Cisco is only "sharing" 1 IP of the 
rightsubnet.
Should I change the rightsubnet from a /24 net to a /32 host in order 
for this
config to work?

Thanks for the support Paul,
Regards
Oliver

-- 
Oliver Schulze L.
<oliver at samera.com.py>



More information about the Users mailing list