[Openswan Users] Cisco VPN connection

Andy Gay andy at andynet.net
Tue Aug 29 09:57:37 EDT 2006 

On Tue, 2006-08-29 at 08:06 -0400, Artem wrote:
> Hello, all! 
> 
> I cannot seem to understand how to connect to Cisco IOS VPN. Here's
> its configuration: 
> 
> Connection Type: Tunnel 
> 
> ip crypto key 
> 
> IPSEC phaze1 (ISAKMP): 
> encryption algorithm: Three key triple DES 
> hash algorithm: Secure Hash Standart 
> authentication method: Pre-Shared Key 
> Diffie-Hellman group: 1 (768 bit) 

I don't think Openswan supports group 1 - too weak. Try to use group 2
or group 5

> lifetime: 600 seconds 
> 
> IPSEC phaze2: 
> pfs group: 2 
> encryption algorithm: 3des 
> authentication algorithm: hmac sha 
> 
> (crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac) 
> 
> transform-set 3dessha 
> 
> Crypted traffic: 
> ip host host 
> 
> 
> Here's my OpenSwan config: 
> 
> config setup 
> interfaces=%defaultroute 
> uniqueids=yes 
> 
> conn ciscovpn 
> type= tunnel 
> left= MY_IP 
> right= CISCO_IP 
> keyexchange= ike 
> pfs= no 

Seems you need pfs=yes, AFAIK that's what "pfs group 2" means in the 
Cisco.

> auth= esp 
> auto= add 
> ikelifetime= 20m 

Won't stop it getting connected, but you do say the Cisco is set to 10
min, it's better to configure both sides the same.

> authby=secret 
> 
> 
> I tried playing with esp and ike options with no success. tcpdump
> shows [E] at both stage 1 and stage 2, the remote side tells me that
> stage two fails (though they cannot confirm that the first stage went
> OK).

Show us the Openswan logs, they'll tell us if phase 1 completes. I would
not expect it to with group 1 in the Cisco.

>  Any ideas what might be wrong? Is it possible at all to connect to
> this Cisco VPN concentrator?

I have several connections to Cisco 3000 series concentrators, and a few
to PIX firewalls, generally I've had no difficulty getting it to work.

> 
> 
> Best wishes, Artem 
> -- 
> This message has been scanned for viruses and 
> dangerous content by MailScanner, and is 
> believed to be clean. 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list