[Openswan Users] Openswam 2.2.0 to Cisco IOS, working but not

John Serink jserink2004 at yahoo.com
Thu Jun 1 02:36:59 CEST 2006


Ok hold on, my Openswan is NOT using KLIPS, its using
the native 2.6 kernel IPSec stack. Fine....
Still doesn't work.
Maybe my firewall.

Hints?

:)
John

--- John Serink <jserink2004 at yahoo.com> wrote:

> Hi ALl:
> 
> My system:
> Linux Openswan U2.2.0/K2.6.8-16-486-rx (native)
> Linux rx1000test 2.6.8-16-486-rx #1 Wed Mar 15
> 15:33:23 UTC 2006 i586 GNU/Linux
> 
> 
> Ok, have have brought up a IPSec tunnel with a cisco
> IOS router:
> #sho version
> Cisco IOS Software, 2800 Software
> (C2800NM-ADVIPSERVICESK9-M), Version 12.4(3c),
> RELEASE
> SOFTWARE (fc1)
> 
> Now, its all seems to work..../var/log/auth.log:
> Jun  1 13:56:23 localhost pluto[20025]: added
> connection description "GDC1"
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
> initiating Main Mode
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
> transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
> ignoring Vendor ID payload [Cisco-Unity]
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
> received Vendor ID payload [Dead Peer Detection]
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
> ignoring Vendor ID payload
> [98b9c31fa3ae366c48180ce40386634f]
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1:
> ignoring Vendor ID payload [XAUTH]
> Jun  1 13:57:10 localhost pluto[20025]: "GDC1" #1: I
> did not send a certificate because I do not have
> one.
> Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
> transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
> Peer ID is ID_IPV4_ADDR: '160.96.97.248'
> Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
> transition from state STATE_MAIN_I3 to state
> STATE_MAIN_I4
> Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #1:
> ISAKMP SA established
> Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #2:
> initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
> isakmp#1}
> Jun  1 13:57:11 localhost pluto[20025]: "GDC1" #2:
> ignoring informational payload, type
> IPSEC_RESPONDER_LIFETIME
> Jun  1 13:57:12 localhost pluto[20025]: "GDC1" #2:
> transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> Jun  1 13:57:12 localhost pluto[20025]: "GDC1" #2:
> sent QI2, IPsec SA established {ESP=>0x056ee180
> <0x9fb8255
> 
> IPSec SA established looks good to me.
> Cisco debug:
> SirentRouter#show debug
> 
> Cryptographic Subsystem:
>   Crypto ISAKMP debugging is on
>   Crypto IPSEC debugging is on
> Jun  1 06:01:24.739: ISAKMP:(0:15:HW:2): processing
> NONCE payload. message ID = -435997288
> *Jun  1 06:01:24.739: ISAKMP:(0:15:HW:2): processing
> ID payload. message ID = -435997288
> *Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2): processing
> ID payload. message ID = -435997288
> *Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2): asking for
> 1
> spis from ipsec
> *Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2):Node
> -435997288, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
> *Jun  1 06:01:24.743: ISAKMP:(0:15:HW:2):Old State =
> IKE_QM_READY  New State = IKE_QM_SPI_STARVE
> *Jun  1 06:01:24.743: IPSEC(key_engine): got a queue
> event with 1 kei messages
> *Jun  1 06:01:24.743: IPSEC(spi_response): getting
> spi
> 91152768 for SA
>         from 160.96.97.248 to 202.42.98.101 for prot
> 3
> *Jun  1 06:01:24.743: ISAKMP: received ke message
> (2/1)
> *Jun  1 06:01:24.751: ISAKMP: Locking peer struct
> 0x46F5877C, IPSEC refcount 1 for for stuff_ke
> *Jun  1 06:01:24.751: ISAKMP:(0:15:HW:2): Creating
> IPSec SAs
> *Jun  1 06:01:24.751:         inbound SA from
> 202.42.98.101 to 160.96.97.248 (f/i)  0/ 0
>         (proxy 192.168.1.96 to 192.168.1.0)
> *Jun  1 06:01:24.751:         has spi 0x56EE180 and
> conn_id 0 and flags 2
> *Jun  1 06:01:24.751:         lifetime of 28800
> seconds
> *Jun  1 06:01:24.751:         has client flags 0x0
> *Jun  1 06:01:24.751:         outbound SA from
> 160.96.97.248 to 202.42.98.101 (f/i) 0/0
>         (proxy 192.168.1.0 to 192.168.1.96)
> *Jun  1 06:01:24.751:         has spi -1615321763
> and
> conn_id 0 and flags A
> *Jun  1 06:01:24.751:         lifetime of 28800
> seconds
> *Jun  1 06:01:24.751:         has client flags 0x0
> *Jun  1 06:01:24.751: IPSEC(key_engine): got a queue
> event with 2 kei messages
> *Jun  1 06:01:24.751: IPSEC(initialize_sas): ,
>   (key eng. msg.) INBOUND local= 160.96.97.248,
> remote= 202.42.98.101,
>     local_proxy= 192.168.1.0/255.255.255.240/0/0
> (type=4),
>     remote_proxy= 192.168.1.96/255.255.255.240/0/0
> (type=4),
>     protocol= ESP, transform= esp-aes esp-md5-hmac 
> (Tunnel),
>     lifedur= 28800s and 0kb,
>     spi= 0x56EE180(91152768), conn_id= 0, keysize=
> 128, flags= 0x2
> *Jun  1 06:01:24.751: IPSEC(initialize_sas): ,
>   (key eng. msg.) OUTBOUND local= 160.96.97.248,
> remote= 202.42.98.101,
>     local_proxy= 192.168.1.0/255.255.255.240/0/0
> (type=4),
>     remote_proxy= 192.168.1.96/255.255.255.240/0/0
> (type=4),
>     protocol= ESP, transform= esp-aes esp-md5-hmac 
> (Tunnel),
>     lifedur= 28800s and 0kb,
>     spi= 0x9FB8255D(2679645533), conn_id= 0,
> keysize=
> 128, flags= 0xA
> *Jun  1 06:01:24.751: Crypto mapdb : proxy_match
>         src addr     : 192.168.1.0
>         dst addr     : 192.168.1.96
>         protocol     : 0
>         src port     : 0
>         dst port     : 0
> *Jun  1 06:01:24.751: IPSec: Flow_switching
> Allocated
> flow for sibling 8000000D
> *Jun  1 06:01:24.751: IPSEC(policy_db_add_ident):
> src
> 192.168.1.0, dest 192.168.1.96, dest_port 0
> 
> *Jun  1 06:01:24.751: ISAKMP: Locking peer struct
> 0x46F5877C, IPSEC refcount 2 for from
> create_transforms
> *Jun  1 06:01:24.751: IPSEC(create_sa): sa created,
>   (sa) sa_dest= 160.96.97.248, sa_proto= 50,
>     sa_spi= 0x56EE180(91152768),
>     sa_trans= esp-aes esp-md5-hmac , sa_conn_id=
> 2001
> *Jun  1 06:01:24.751: IPSEC(create_sa): sa created,
>   (sa) sa_dest= 202.42.98.101, sa_proto= 50,
>     sa_spi= 0x9FB8255D(2679645533),
>     sa_trans= esp-aes esp-md5-hmac , sa_conn_id=
> 2004
> *Jun  1 06:01:24.751: ISAKMP: Unlocking IPSEC struct
> 0x46F5877C from create_transforms, count 1
> *Jun  1 06:01:24.755: ISAKMP:(0:15:HW:2): sending
> packet to 202.42.98.101 my_port 500 peer_port 500
> (R)
> QM_IDLE
> *Jun  1 06:01:24.755: ISAKMP:(0:15:HW:2):Node
> -435997288, Input = IKE_MESG_FROM_IPSEC,
> IKE_SPI_REPLY
> *Jun  1 06:01:24.755: ISAKMP:(0:15:HW:2):Old State =
> IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
> *Jun  1 14:01:24 SGP:
> %MV64340_ETHERNET-5-LATECOLLISION:
> GigabitEthernet0/0,
> late collision error
> *Jun  1 14:01:24 SGP:
> %MV64340_ETHERNET-5-LATECOLLISION:
> GigabitEthernet0/0,
> late collision error
> *Jun  1 06:01:26.415: ISAKMP (0:268435471): received
> packet from 202.42.98.101 dport 500 sport 500 Global
> (R) QM_IDLE
> *Jun  1 06:01:26.419: ISAKMP:(0:15:HW:2):deleting
> node
> -435997288 error FALSE reason "QM done (await)"
> *Jun  1 06:01:26.419: ISAKMP:(0:15:HW:2):Node
> -435997288, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
> *Jun  1 06:01:26.419: ISAKMP:(0:15:HW:2):Old State =
> IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
> *Jun  1 06:01:26.419: IPSEC(key_engine): got a queue
> event with 1 kei messages
> *Jun  1 06:01:26.419:
> IPSEC(key_engine_enable_outbound): rec'd enable
> notify
> from ISAKMP
> *Jun  1 06:01:26.419:
> IPSEC(key_engine_enable_outbound): enable SA with
> spi
> 2679645533/50
> 
=== message truncated ===

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the Users mailing list