[Openswan Users] Problems CISCO PIX and OPENSWAN stuck in Phase 2
fs at globalnetit.com
Mon Jun 5 12:35:38 CEST 2006
On Mon, 2006-06-05 at 17:04 +0200, Javier Perez-Griffo wrote:
> config setup
> klipsdebug = all
> plutodebug = all
Usually a bad idea to enable all debugging. Really only useful if you're
developing the code.
Comment these out, then try again and check your system logs, there may
be something helpful there.
> conn lask
> type = tunnel
> left = 192.168.a.c
> leftnexthop = 192.168.a.b
> leftsubnet = c.d.e.f/24
> leftid = c.d.e.f
Probably not what you want. Usually the other end would expect your ID
to be your public IP (192.168.a.c here). (Then again, 192.168.x.x isn't
a public address...)
Hmmm. But I see that the ISAKMP SA is established. So I guess that's not
the problem. So you have a mismatch in your IPsec policies, so the 2
ends can't agree on any proposal.
If you can enable debug crypto isakmp/ipsec on the pix, it should tell
you what it objects to here. Everything in the left/right policy needs
to match. So the pix needs to agree on auth, left/right ID and subnets,
encryption, hash, and PFS.
> right = w.r.y.z
> rightid = w.r.y.z
> ike = 3des-md5-96
> esp = 3des-md5-96
I would suggest removing the esp= line. By using it, you restrict
Openswan to just offering 1 proposal. Without it, it offers several, I
believe. So the pix has more chance of finding one that matches.
> authby = secret
> auth = esp
> spibase = 0x200
What's this for?
> keyexchange = ike
> keylife = 3600
> pfs = no
> auto = add
> include /etc/ipsec.d/examples/no_oe.conf
> Users at openswan.org
> Building and Integrating Virtual Private Networks with Openswan:
Andy <fs at globalnetit.com>
More information about the Users