[Openswan Users] OpenSWAN - Cisco Pix Group ID VPN

Marcus Carlson marcus.carlson at rationellit.se
Sat Jul 1 14:43:30 CEST 2006 

Hi All!

Having set up a few connections to a Cisco pix previously, this one is 
causing me trouble. The difference here is the Cisco VPN group. Reading 
on the net it seems this should be possible to be done. There's no xauth 
on the pix, only VPN group and PSK.

So, any idea what I can have missed?

Current OpenSWAN config:
           authby=secret
           right=1.2.3.4
           rightsubnet=192.168.0.0/24
           rightid=@pix.cisco.com #also tried with no rightid
           leftid=@vpngroup1
           left=%defaultroute
           auto=start #also tried with add and then use whack to start it
           pfs=no
           esp=3des-md5-96

Also tried setting the following options on and off:
        #rightxauthserver=yes
        #rightmodecfgserver=yes
        #leftxauthclient=yes
        #leftmodecfgclient=yes
        #ike=3des-md5
        #modecfgpull=yes
        #keyexchange=ike

Secret file:
: PSK "mysecret"
(also tried setting with IP, ID)

Cisco Pix vpngroup configuration:
vpngroup vpngroup1 address-pool VPNP
vpngroup vpngroup1 dns-server 192.168.0.4
vpngroup vpngroup1 split-tunnel vpn_client
vpngroup vpngroup1 idle-time 1800
vpngroup vpngroup1 password ********


Errors I get from /var/log/auth.log (on debian)
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: initiating Main Mode 
to replace #16
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using 
method 108
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: STATE_MAIN_I2: sent 
MI2, expecting MR2
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: received Vendor ID 
payload [XAUTH]
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: received Vendor ID 
payload [Dead Peer Detection]
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: received Vendor ID 
payload [Cisco-Unity]
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: ignoring unknown 
Vendor ID payload [3db299c08c653d11bf3e5ce4aebf99dd]
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: I did not send a 
certificate because I do not have one.
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul  1 13:17:18 localhost pluto[26363]: "pix" #17: STATE_MAIN_I3: sent 
MI3, expecting MR3
Jul  1 13:18:28 localhost pluto[26363]: "pix" #17: max number of 
retransmissions (2) reached STATE_MAIN_I3.  Possible authentication 
failure: no acceptable response to our first encrypted message
Jul  1 13:18:28 localhost pluto[26363]: "pix" #17: starting keying 
attempt 18 of an unlimited number

Debian openswan version: 2.4.5+dfsg-0.2
Debian kernel version: 2.6.16-2-amd64-k8

TIA,
Marcus

More information about the Users mailing list