[Openswan Users] Connecting RH9 <-> Cisco
Oliver Schulze L.
oliver at samera.com.py
Sat Nov 5 02:40:50 CET 2005
Hi Paul,
here are the results:
Paul Wouters wrote:
>That's not really complete information.
>
>- Prefect Forward Secrecy (PFS): Yes or no?
>
>
no
>- DH group : 2 or 5 ?
>
>
2
>- Mode: Main or Aggressive?
>
>
Main
>- XAUTH/ModeConfig? Yes or No?
>
>
ModeConfig
>But you can try adding:
>
> ike=3des-sha1
> esp=3des-sha1
> pfs=no (should accept yes too)
> #aggrmode=yes
>
>Try with and without aggrmode.
>
>Paul
>
>
With aggresive mode, here is the output:
ipsec auto --verbose --up ipsec01
002 "ipsec01" #1587: initiating Main Mode
104 "ipsec01" #1587: STATE_MAIN_I1: initiate
002 "ipsec01" #1587: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "ipsec01" #1587: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ipsec01" #1587: received Vendor ID payload [Cisco-Unity]
003 "ipsec01" #1587: received Vendor ID payload [Dead Peer Detection]
003 "ipsec01" #1587: ignoring unknown Vendor ID payload
[56e1df657ba6c134da7f5ed33ba2851c]
003 "ipsec01" #1587: received Vendor ID payload [XAUTH]
002 "ipsec01" #1587: I did not send a certificate because I do not have one.
002 "ipsec01" #1587: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "ipsec01" #1587: STATE_MAIN_I3: sent MI3, expecting MR3
002 "ipsec01" #1587: Main mode peer ID is ID_IPV4_ADDR: '10.200.200.2'
002 "ipsec01" #1587: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "ipsec01" #1587: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
002 "ipsec01" #1588: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1587}
117 "ipsec01" #1588: STATE_QUICK_I1: initiate
010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "ipsec01" #1588: STATE_QUICK_I1: retransmission; will wait 40s for
response
I also have No OE before my conn setup:
include /etc/ipsec.d/examples/no_oe.conf
Without aggresive mode, it does not works either.
I think that the problem is that the Cisco is only "sharing" 1 IP of the
rightsubnet.
Should I change the rightsubnet from a /24 net to a /32 host in order
for this
config to work?
Thanks for the support Paul,
Regards
Oliver
--
Oliver Schulze L.
<oliver at samera.com.py>
More information about the Users
mailing list