[Openswan Users] pix and openswan (2nd act)

Wed Oct 19 13:10:47 CEST 2005

Hi! I have a problem: I've a pix on a site and a linux
machine on another site with openswan software.
You can see the scenario very well in the picture
http://supportotesi.altervista.org/final.gif
I need to have both roadwarrior (cisco vpn client) and
site-to-site connection (openswan).
My pix conf
pixfirewall# sh conf 
: Saved
: Written by enable_15 at 08:15:26.950 UTC Tue Oct 18
2005
PIX Version 6.3(1)
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security4
enable password kd4q8INnfTMGlrxA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
names         
access-list openswan permit ip 10.0.0.0 255.255.255.0
192.168.0.0 255.255.255.0 
access-list split permit ip 10.0.0.0 255.255.255.0
10.0.9.0 255.255.255.0 
access-list inside permit ip any 10.0.9.0
255.255.255.0 
access-list inside permit ip any 192.168.0.0
255.255.255.0 
pager lines 24
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside 172.17.32.13 255.255.128.0
ip address inside 10.0.0.1 255.255.255.0
no ip address intf2
ip audit info action alarm
ip audit attack action alarm
ip local pool mypool 10.0.9.1-10.0.9.255
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside
nat (inside) 1 10.0.0.0 255.255.255.0 0 0
route outside 0.0.0.0 0.0.0.0 172.17.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+ 
aaa-server RADIUS protocol radius 
aaa-server LOCAL protocol local 
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map outside_dyn 20 set transform-set
myset
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address openswan
crypto map mymap 10 set peer 80.183.74.53
crypto map mymap 10 set transform-set myset
crypto map mymap 20 ipsec-isakmp dynamic outside_dyn
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address yyy.yyy.yyy.yyy netmask
255.255.255.255 no-xauth no-config-mode 
isakmp identity address
isakmp nat-traversal 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28800
vpngroup mygroup address-pool mypool
vpngroup mygroup split-tunnel split
vpngroup mygroup idle-time 1800
vpngroup mygroup password ********
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
dhcpd address 10.0.0.2-10.0.0.30 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd enable inside
username lelio password 130yZZ3y12bbgj6d encrypted
privilege 2
terminal width 80

My ipsec.conf is:

version 2.0

config setup
interfaces="ipsec0=ppp0"
klipsdebug=none
#plutodebug=none
#plutoload=%search
#plutostart=%search
uniqueids=yes
nat_traversal=yes

conn %default
keyingtries=0
disablearrivalcheck=no
authby=secret

conn pix
#type = tunnel
left=yyy.yyy.yyy.yyy
leftsubnet=192.168.0.0/24
leftprotoport=17/0
#leftnexthop=%defaultroute
right=xxx.xxx.xxx.xxx
rightsubnet=10.0.0.0/24
rightid=172.17.32.13
rightprotoport=17/0
authby=secret
#esp=3des-md5-hmac
#keyexchange = ike
pfs=no
auto=add

The roadwarriors are connecting well to the vpn,
openswan too but the 192.168.0.x's doesn't ping
10.0.0.x's

Here's the result:
root at darkstar:~# /etc/rc.d/ipsec --restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.4.0...
root at darkstar:~# ipsec auto --up pix
104 "pix" #1: STATE_MAIN_I1: initiate
003 "pix" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]method set to=108
003 "pix" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n]meth=106, but already
using method 108
106 "pix" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "pix" #1: received Vendor ID payload [XAUTH]
003 "pix" #1: received Vendor ID payload [Dead Peer
Detection]
003 "pix" #1: received Vendor ID payload [Cisco-Unity]
003 "pix" #1: ignoring unknown Vendor ID payload
[8a346f4049c4d1e08a7700ecf40aebb1]
003 "pix" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
108 "pix" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "pix" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5
group=modp1024}
117 "pix" #2: STATE_QUICK_I1: initiate
003 "pix" #2: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "pix" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established {ESP=>0x991beb28 <0xc1300ad7
xfrm=3DES_0-HMAC_MD5 NATD=xxx.xxx.xxx.xxx:4500
DPD=none}

As you can see the SA is established but the pc
doesn't see each other.
I've tried with windows xp and it works. There's a
tool over the net (smart vpn client)that is a sort of
site-to-site but without pcs behind the pc who use
this tool. I mean... connect to pix not as a
roadwarrior but as a site-to-site.
But you cannot have a subnet behind (sorry for my bad
explanation) and it works! So I think my access-list
are good.
Can anyone help me??
Sorry for the length of my post... 

___________________________________ 
Yahoo! Mail: gratis 1GB per i messaggi e allegati da 10MB 
http://mail.yahoo.it