[Openswan Users] openswan -vpn concentrator

cesar at queretaro.podernet.com.mx cesar at queretaro.podernet.com.mx
Mon Feb 20 18:31:31 CET 2006


I have VPN Concentrator Type 3005, Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.4.A
and Fedora core 4 whit openswan this is my configuration

In The VPN Concentrator's
Configuration->System->Tunneling Protocols->IPSec->IKE Proposals


Proposal Name              openswan
Authentication Mode        Preshared Keys
Authentication Algorithm   MD5/HMAC-128
Encryption Algorithm       3DES-168
Diffie-Hellman Group       Group 2 (1024-bits)
Lifetime Measurement       Time
Data Lifetime              10000
Time Lifetime              28800


Configuration->System->Tunneling Protocols->IPSec->IPSec Lan-to-Lan


Name                       openswan
Interface                  Ethernet 2 (Public)(64.64.64.64)
Peer                       63.63.63.63
Digital Certificate        None (Use Preshared Keys)

Preshared Key              Amazingly secure secret key
Authentication             ESP/MD5/HMAC-128
Encryption                 3DES-168
IKE Proposal               openswan
Filter                     --None--
IPSec NAT-T                Unchecked
Bandwidth Policy           --None--
Routing                    None

 Local Network:
      Network List         Use IP Address/Wildcard-mask below
        IP Address         10.13.1.0
     Wildcard Mask         0.0.0.255

 Remote Network:
      Network List         Use IP Address/Wildcard-mask below
        IP Address         10.13.2.0
     Wildcard Mask         0.0.0.255


Configuration->System->Tunneling Protocols->IPSec->IKE Proposals


SA Name                    L2L: openswan
Inheritance                From Rule

Authentication Algorithm   ESP/MD5/HMAC-128
Encryption Algorithm       3DES-168
Encapsulation Mode         Tunnel
Perfect Forward Secrecy    Group 2 (1024-bits)
Lifetime Measurement       Time
Data Lifetime              10000
Time Lifetime              28800

 IKE Parameters
       IKE Peer            63.63.63.63
       Negotiation Mode    Main
       Digital Certificate None (Use Preshared Keys)
       IKE Proposal        openswan

and, fedora core 4

# basic configuration
config setup
        forwardcontrol=yes
        interfaces=%defaultroute
        nat_traversal=no
        uniqueids=yes
        plutowait=no
        plutodebug=all
        klipsdebug=all


conn concentrator
        authby=secret
        auto=add
        compress=no
        ikelifetime=8h
        keyingtries=0
        left=21.94.87.125
        leftid=21.94.87.125
        leftsubnet=172.16.34.0/24
        pfs=no
        right=1.2.3.4
        rightid=5.6.7.8
        rightsubnet=172.16.1.0/24
        type=tunnel



I have this error


04 "concentrator" #1: STATE_MAIN_I1: initiate
010 "concentrator" #1: STATE_MAIN_I1: retransmission; will wait 20s for response003 "concentrator" #1: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
106 "concentrator" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "concentrator" #1: received Vendor ID payload [Cisco-Unity]
003 "concentrator" #1: received Vendor ID payload [XAUTH]
003 "concentrator" #1: ignoring unknown Vendor ID payload [905b18e5c6ec9a879584e281d23c8414]
003 "concentrator" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
108 "concentrator" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "concentrator" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "concentrator" #2: STATE_QUICK_I1: initiate
010 "concentrator" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "concentrator" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "concentrator" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no
proposal
000 "concentrator" #2: starting keying attempt 2 of an unlimited number, but releasing whack


some idea of like solving it?


More information about the Users mailing list