[Openswan Users] Fwd: Re: openSWAN to Cisco IOS
John Serink
jserink2004 at yahoo.com
Tue Aug 22 13:02:00 EDT 2006
--- John Serink <jserink2004 at yahoo.com> wrote:
> Date: Tue, 22 Aug 2006 09:59:53 -0700 (PDT)
> From: John Serink <jserink2004 at yahoo.com>
> Subject: Re: [Openswan Users] openSWAN to Cisco IOS
> To: Glenn Henshaw <thraxisp at logicaloutcome.ca>
>
> This works for me, debian 2.6.8 using NetKey and openswan 2.2.0....
> To a 2821, IOS 12.4....
> Dynamic IP on the Debian side, static at the Cisco.
>
> Cisco Side:
> crypto isakmp policy 1
> encr aes
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key My_key_here 0.0.0.0 0.0.0.0
> !
> !
> crypto ipsec transform-set rtpset esp-aes esp-md5-hmac
> !
> crypto dynamic-map rtpmap 10
> description test connection to RX1000
> set transform-set rtpset
> set pfs group2
>
> crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
>
> access-list 120 deny ip 192.168.1.0 0.0.0.15 192.168.1.0 0.0.0.255
> access-list 120 permit ip 192.168.1.0 0.0.0.15 any
> no cdp run
> !
> route-map nonat permit 10
> match ip address 120
>
> Last bit with teh ACL is important, its telling the IOS NOT to NAT the stuff
> going over the IPsec tunnel....that'll mulch your communications for sure,
> pluto will dump the ESP packets as they will all have had their source IPs
> changed. Make sure you do the same on the Linux side....I'm using shorewall,
> the setting of the /etc/shorewall/masq file needs to be:
> #INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
> ppp1:!192.168.1.0/28 192.168.1.96/28
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> Means, don't NAT that subnet going via ppp1, if you do the ESP packets will
> be
> garbeled and the Cisco will drop them.
>
> Openswan side:
> # /etc/ipsec.conf - Openswan IPsec configuration file
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> klipsdebug=none
> plutodebug=none
> interfaces=%defaultroute
> uniqueids=yes
>
> # Add connections here
>
> conn GDC1
> authby=secret
> auto=start
> left=%defaultroute
> leftsourceip=192.168.1.97
> leftid=@RX1000test
> leftsubnet=192.168.1.96/28
> ike=aes128-md5-modp1024
> esp=aes128-md5
> right=160.96.97.248
> rightsubnet=192.168.1.0/28
> rightsourceip=X.X.X.X
> type=tunnel
> pfs=yes
> keyingtries=0
> dpddelay=30
> dpdtimeout=90
> dpdaction=clear
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> As you can see, its no problem to use pfs. Now, I did try to use ipsec
> profiles
> on the cisco but could not get that working which is a bit of a
> disappointment
> as wanted the ability to von in from my windoze laptop using the cisco VPN
> client....doesn't mean it can't be done, I just couldn't get it running in
> the
> time I alloted to the task.
>
> Anyhow, the above works fine.
>
> Now, my system was using doig tunnels from gateway to gateway, your syslog
> output below indicates you're behind a NAT box and using KLIPS. Should not
> matter, the cisco should pick that up. Make sure your linux firewall is
> allowing udp 4500 and 500 through and that your NAT box is allowing that
> traffic as well.
>
> Anyhow, good luck.
> Cheers,
> John
>
> --- Glenn Henshaw <thraxisp at logicaloutcome.ca> wrote:
>
> > Having resolved some of the protocol incompatibilities, I can now
> > get the connection to progress past the key exchange. It stops before
> > bringing up the tunnel declaring "NO_PROPOSAL_CHOSEN". The Cisco end
> > thinks that the tunnel is up until the keep-alive expires.
> >
> > What can cause the "NO_PROPOSAL_CHOSEN" message from the Cisco?
> >
> >
> > ... Glenn
> >
> >
> > openSWAN config:
> > version 2.0
> > config setup
> > interfaces=%defaultroute
> > klipsdebug="none"
> > plutodebug="control"
> > nat_traversal=yes
> >
> > conn host
> > # host specific configuration
> > esp=3des-sha1-1024
> > ike=3des-sha1-1024
> > pfs=no
> > keyexchange=ike
> > # basic configuration
> > type=tunnel
> > left=%defaultroute
> > leftnexthop=%defaultroute
> > leftid=@xxxxxxxxx
> > right=xxx.xxx.xxx.xxx
> > rightsubnet=10.0.0.0/8
> > authby=secret
> > auto=start
> >
> > #disable opportunistic encryption
> > include /etc/config/ipsec.d/examples/no_oe.conf
> >
> > Cisco Config: (abbreviated)
> > crypto isakmp policy 10
> > encr 3des
> > authentication pre-share
> > group 2
> > crypto isakmp nat keepalive 30
> > crypto isakmp client configuration address-pool local xxxxxxxxxxxx
> > !
> > crypto isakmp profile L2L
> > keyring QP_Spokes
> > match identity address 0.0.0.0
> > !
> > crypto ipsec transform-set QP_Set esp-3des esp-sha-hmac
> > !
> > crypto dynamic-map xxxxxxxxxxx 40
> > set transform-set QP_Set
> > set isakmp-profile L2L
> > !
> >
> >
> >
> > openSWAN startup:
> > # ipsec auto --up host
> > 104 "host" #3: STATE_MAIN_I1: initiate
> > 003 "host" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-
> > ike-03] method set to=108
> > 106 "host" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> > 003 "host" #3: received Vendor ID payload [Cisco-Unity]
> > 003 "host" #3: received Vendor ID payload [Dead Peer Detection]
> > 003 "host" #3: ignoring unknown Vendor ID payload
> > [0c447920daaa628dce64a39fb745f11d]
> > 003 "host" #3: received Vendor ID payload [XAUTH]
> > 003 "host" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-
> > ike-02/03: i am NATed
> > 108 "host" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> > 004 "host" #3: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> > group=modp1024}
> > 117 "host" #4: STATE_QUICK_I1: initiate
> > 010 "host" #4: STATE_QUICK_I1: retransmission; will wait 20s for
> > response
> > 010 "host" #4: STATE_QUICK_I1: retransmission; will wait 40s for
> > response
> > 031 "host" #4: max number of retransmissions (2) reached
> > STATE_QUICK_I1. No acceptable response to our first Quick Mode
> > message: perhaps peer likes no proposal000 "host" #4: starting keying
> > attempt 2 of an unlimited number, but releasing whack
> >
> >
> > local logs:
> > <83>Aug 21 16:53:18.406 2006 ipsec__plutorun: Starting Pluto
> > subsystem...
> > <84>Aug 21 16:53:18.597 2006 pluto[5458]: Starting Pluto (Openswan
> > Version 2.4.5rc6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR;
> > Vendor ID OESTg[~pX at __)
> > <84>Aug 21 16:53:18.599 2006 pluto[5458]: Setting NAT-Traversal
> > port-4500 floating to on
> > <84>Aug 21 16:53:18.600 2006 pluto[5458]: port floating activation
> > criteria nat_t=1/port_fload=1
> > <84>Aug 21 16:53:18.602 2006 pluto[5458]: including NAT-Traversal
> > patch (Version 0.6c)
> > <87>Aug 21 16:53:18.603 2006 pluto[5458]: | opening /dev/urandom
> > <87>Aug 21 16:53:18.613 2006 pluto[5458]: | inserting event
> > EVENT_REINIT_SECRET, timeout in 3600 seconds
> > <87>Aug 21 16:53:18.633 2006 pluto[5458]: | inserting event
> > EVENT_PENDING_PHASE2, timeout in 120 seconds
> > <84>Aug 21 16:53:18.639 2006 pluto[5458]: ike_alg_register_enc():
> > Activating OAKLEY_AES_CBC: Ok (ret=0)
> > <84>Aug 21 16:53:18.641 2006 pluto[5458]: starting up 1 cryptographic
> > helpers
> > <87>Aug 21 16:53:18.655 2006 pluto[5461]: | opening /dev/urandom
> > <84>Aug 21 16:53:18.657 2006 pluto[5458]: started helper pid=5461 (fd:5)
> > <84>Aug 21 16:53:18.660 2006 pluto[5458]: Using KLIPS IPsec interface
> > code on 2.4.27-uc1
> > <87>Aug 21 16:53:18.664 2006 pluto[5458]: | inserting event
> > EVENT_SHUNT_SCAN, timeout in 120 seconds
> > <87>Aug 21 16:53:18.673 2006 pluto[5461]: ! helper 0 waiting on fd: 7
> > <84>Aug 21 16:53:18.701 2006 pluto[5458]: Changing to directory '/etc/
> > config/ipsec.d/cacerts'
> > <84>Aug 21 16:53:18.749 2006 pluto[5458]: Changing to directory '/etc/
> > config/ipsec.d/aacerts'
> > <84>Aug 21 16:53:18.751 2006 pluto[5458]: Changing to directory '/etc/
> > config/ipsec.d/ocspcerts'
> > <84>Aug 21 16:53:18.753 2006 pluto[5458]: Changing to directory '/etc/
> > config/ipsec.d/crls'
> > <84>Aug 21 16:53:18.755 2006 pluto[5458]: Warning: empty directory
> > <87>Aug 21 16:53:18.757 2006 pluto[5458]: | inserting event
> > EVENT_LOG_DAILY, timeout in 25602 seconds
> > <87>Aug 21 16:53:18.758 2006 pluto[5458]: | next event
> > EVENT_SHUNT_SCAN in 120 seconds
> > <87>Aug 21 16:53:20.571 2006 pluto[5458]: |
> > <87>Aug 21 16:53:20.572 2006 pluto[5458]: | *received whack message
> > <87>Aug 21 16:53:20.572 2006 pluto[5458]: | Added new connection host
> > with policy PSK+ENCRYPT+TUNNEL
> > <87>Aug 21 16:53:20.573 2006 pluto[5458]: | from whack: got --
> > esp=3des-sha1
> > <87>Aug 21 16:53:20.574 2006 pluto[5458]: | esp string values:
> > 3_000-2, flags=strict
> > <87>Aug 21 16:53:20.574 2006 pluto[5458]: | from whack: got --ike=3des
> > <87>Aug 21 16:53:20.575 2006 pluto[5458]: | ike string values:
> > 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=strict
> > <87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
> > @xxxxxxx is 0
> > <87>Aug 21 16:53:20.576 2006 pluto[5458]: | counting wild cards for
> > (none) is 15
> > <87>Aug 21 16:53:20.577 2006 pluto[5458]: | alg_info_addref()
> > alg_info->ref_cnt=1
> > <87>Aug 21 16:53:20.583 2006 pluto[5458]: | alg_info_addref()
> > alg_info->ref_cnt=2
> > <84>Aug 21 16:53:20.584 2006 pluto[5458]: added connection
> > description "host"
> > <87>Aug 21 16:53:20.585 2006 pluto[5458]: | 192.168.1.234
> > [@Pxxxxxxx]---192.168.1.2...xxx.xxx.xxx.xxx===10.0.0.0/8
> > <87>Aug 21 16:53:20.586 2006 pluto[5458]: | ike_life: 3600s;
> > ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%;
> > keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL
> > <87>Aug 21 16:53:20.586 2006 pluto[5458]: | next event
> > EVENT_SHUNT_SCAN in 118 seconds
> > <87>Aug 21 16:53:20.807 2006 pluto[5458]: |
> > <87>Aug 21 16:53:20.808 2006 pluto[5458]: | *received whack message
> > <84>Aug 21 16:53:20.817 2006 pluto[5458]: listening for IKE messages
> > <87>Aug 21 16:53:20.818 2006 pluto[5458]: | found lo with address
> > 127.0.0.1
> > <87>Aug 21 16:53:20.819 2006 pluto[5458]: | found ipsec0 with address
> > 192.168.1.234
> > <87>Aug 21 16:53:20.819 2006 pluto[5458]: | found eth0 with address
> > 192.168.4.1
> > <87>Aug 21 16:53:20.820 2006 pluto[5458]: | found eth1 with address
> > 192.168.1.234
> > <84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
> > eth1 192.168.1.234:500
> > <84>Aug 21 16:53:20.821 2006 pluto[5458]: adding interface ipsec0/
> > eth1 192.168.1.234:4500
> > <87>Aug 21 16:53:20.822 2006 pluto[5458]: | IP interface eth0
> > 192.168.4.1 has no matching ipsec* interface -- ignored
> > <87>Aug 21 16:53:20.823 2006 pluto[5458]: | IP interface lo 127.0.0.1
> > has no matching ipsec* interface -- ignored
> > <87>Aug 21 16:53:20.823 2006 pluto[5458]: | could not open /proc/net/
> > if_inet6
> > <84>Aug 21 16:53:20.824 2006 pluto[5458]: loading secrets from "/etc/
> > config/ipsec.secrets"
> > <87>Aug 21 16:53:20.825 2006 pluto[5458]: | next event
> > EVENT_SHUNT_SCAN in 118 seconds
> > <87>Aug 21 16:53:21.058 2006 pluto[5458]: |
> > <87>Aug 21 16:53:21.059 2006 pluto[5458]: | *received whack message
> > <87>Aug 21 16:53:21.068 2006 pluto[5458]: | processing connection host
> > <87>Aug 21 16:53:21.069 2006 pluto[5458]: | route owner of "host"
> > unrouted: NULL; eroute owner: NULL
> > <87>Aug 21 16:53:21.070 2006 pluto[5458]: | could_route called for
> > host (kind=CK_PERMANENT)
> > <87>Aug 21 16:53:21.070 2006 pluto[5458]: | route owner of "host"
> > unrouted: NULL; eroute owner: NULL
> > <87>Aug 21 16:53:21.071 2006 pluto[5458]: | eroute_connection add
> > eroute 192.168.1.234/32:0 --0-> 10.0.0.0/8:0 => %trap (raw_eroute)
> > <87>Aug 21 16:53:21.072 2006 pluto[5458]: | route_and_eroute:
> > firewall_notified: true
> > <87>Aug 21 16:53:21.072 2006 pluto[5458]: | command executing prepare-
> > host
> > <87>Aug 21 16:53:21.073 2006 pluto[5458]: | executing prepare-host:
> > 2>&1 PLUTO_VERSION='1.1' PLUTO_VERB='prepare-host'
> > PLUTO_CONNECTION='host' PLUTO_NEXT_HOP='192.168.1.2'
> > PLUTO_INTERFACE='ipsec0' PLUTO_ME='192.168.1.234'
> > PLUTO_MY_ID='@xxxxxxx' PLUTO_MY_CLIENT='192.168.1.234/32'
> >
> === message truncated ===
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Users
mailing list