[Openswan Users] Configuration problems with Cisco and Clavister

Benoit Demiddeleer benoit.demiddeleer at net7.be
Mon Jun 26 14:12:49 CEST 2006 

Hello,

 

I'm trying to setup Openswan installed on Debian Sarge as client for a Cisco firewall and for a Clavister.

Both servers are using shared secrets which are already inserted in the ipsec.secrets file.

 

Any help will be very appreciated as I'm trying to initiate the connection for 2 days now...

 

So to begin here is the information the remote admins gave me:

 

First Tunnel (Clavister ver. 8.50):

VPN Address: www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/> 

Connected lan: 10.10.4.64/26

 

Ike settings:

            Encryption method: 3des

            Diffie-Helman group: 2

            Pre-shared secret: mysecret1

            Hash algorithm: sha1

            Ike Keep alive interval: disabled

            Ike lifetime: 3600

IPSec Settings:

            Encryption method: 3des

            Diffie-Helman group: 2

            Hash algorithm: sha1-96

            Protocol: ESP

            IPSec Lifetime: 3600 

 

Second Tunnel (Cisco)

            VPN Address: aaa.bbb.ccc.ddd

            Connected lan: 57.57.0.0/16

      ISAKMP

encryption 3des

hash md5

authentication pre-share

lifetime 3600

Pre-shared secret: mysecret2

IPSEC

transform-set: esp-3des esp-md5-hmac

 

Here is the information concerning our network

            VPN Client address: ggg.hhh.iii.170

            VPN next hop: ggg.hhh.iii.169

            Connected LAN: 10.1.1.0/24

            OpenSwan Version: Linux Openswan U2.2.0/K2.6.8-2-386 (Installed on a Debian Sarge)

            Firewall ports: esp, ah(probably not necessary in this case), udp 500

 

Ipsec.secrets

            ggg.hhh.iii.170 www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/> : PSK "mysecret1"

ggg.hhh.iii.170 aaa.bbb.ccc.ddd: PSK "mysecret2"

 

Ipsec.conf

            version 2.0     # conforms to second version of ipsec.conf specification

config setup

 

#Disable Opportunistic Encryption

include /etc/ipsec.d/examples/no_oe.conf

 

conn net-to-first

        type=   tunnel

        left=   ggg.hhh.iii.170

        leftnexthop=    ggg.hhh.iii.169

        leftsubnet=     10.1.1.0/24

        right=          www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/> 

        rightsubnet=    10.10.4.64/26

        auto=   add

        authby= secret

        esp=    3des-sha1-96

        keyexchange=ike

        ike=    3des-sha1

        pfs=    no

 

 

conn net-to-second

        type=   tunnel

        left=   ggg.hhh.iii.170

        leftnexthop=    ggg.hhh.iii.169

        leftsubnet=     10.1.1.0/24

        right=          aaa.bbb.ccc.ddd

        rightsubnet=    57.57.0.0/16

        esp=    3des-md5-96

        keyexchange=    ike

        authby=secret

        pfs=    no

        auto=   add

 

Here is the result I get:

 

            000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64

000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192

000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448

000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0

000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256

000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128

000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160

000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256

000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0

000

000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128

000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192

000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20

000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16

000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024

000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536

000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048

000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072

000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096

000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144

000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192

000

000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,220,36} trans={0,220,336} attrs={0,220,224}

000

000 " net-to-first ": 10.1.1.0/24=== ggg.hhh.iii.170--- ggg.hhh.iii.169... www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/> ===10.10.4.64/26; unrouted; eroute owner: #0

000 " net-to-first ":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 " net-to-first ":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,26; interface: eth0;

000 " net-to-first ":   newest ISAKMP SA: #69; newest IPsec SA: #0;

000 " net-to-first ":   IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024

000 " net-to-first ":   ESP algorithms wanted: 3_000-2, flags=-strict

000 " net-to-first ":   ESP algorithms loaded: 3_000-2, flags=-strict

000 " net-to-second ": 10.1.1.0/24=== ggg.hhh.iii --- ggg.hhh.iii... aaa.bbb.ccc.ddd ===57.57.0.0/16; unrouted; eroute owner: #0

000 " net-to-second ":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0

000 " net-to-second ":   policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,16; interface: eth0;

000 " net-to-second ":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 " net-to-second ":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict

000 " net-to-second ":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,

000 " net-to-second ":   ESP algorithms wanted: 3_000-1, flags=-strict

000 " net-to-second ":   ESP algorithms loaded: 3_000-1, flags=-strict

000

000 #112: " net-to-first " STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 8s

000 #69: " net-to-first " STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1447s; newest ISAKMP

000 #111: " net-to-second " STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 9s

000 #111: pending Phase 2 for " net-to-second " replacing #0

000 #111: pending Phase 2 for " net-to-second " replacing #0

 

 

So I meet different problems with both tunnels but I running out of ideas.

 

Thank in advance to people who will help me to solve those problems.

 

Best regards,

Benoît Demiddeleer

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060626/c63952ba/attachment-0001.htm

More information about the Users mailing list