[Openswan Users] openswan 2.4.0 & pix 515e
Paul Wouters
paul at xelerance.com
Wed Oct 5 19:03:42 CEST 2005
On Wed, 5 Oct 2005, Lelio Parisi wrote:
> Subject: [Openswan Users] openswan 2.4.0 & pix 515e
>
> Hi! I've some problem with the last openswan running
> on 2.6.13 kernel with klips and my cisco pix 515e
> Here's the error:
> root at lean:~# ipsec auto --up pix
> 104 "pix" #1: STATE_MAIN_I1: initiate
> 106 "pix" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "pix" #1: received Vendor ID payload [XAUTH]
> 003 "pix" #1: received Vendor ID payload [Dead Peer
> Detection]
> 003 "pix" #1: received Vendor ID payload [Cisco-Unity]
> 003 "pix" #1: ignoring unknown Vendor ID payload
> [b1a7785aeff2584005e81dc7acb2bafc]
> 108 "pix" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "pix" #1: protocol/port in Phase 1 ID Payload must
> be 0/0 or 17/500 but are 17/0
> 218 "pix" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
> I've found that I must say rightprotoport=17/%any but
> when I put this string, it says:root at lean:~# ipsec
> auto --up pix
> 021 no connection named "pix"
> but the connection exist!!
But it did not load. What does 'ipsec auto --add pix' tell you?
Perhaps you need to add a leftprotoport statement as well?
> conn pix
> #type = tunnel
> left=80.181.yyy.yyy
> leftsubnet=192.168.0.0/24
> #leftnexthop=%defaultroute
> right=192.167.xxx.xxx
> rightsubnet=10.0.0.0/24
> authby=secret
> #esp = 3des-md5-hmac
this at least does not reflect the failing connection with
rightprotoport=17/%any
Paul
More information about the Users
mailing list