[Openswan Users] Configuration problems with Cisco and Clavister
Paul Wouters
paul at xelerance.com
Mon Jun 26 20:28:03 CEST 2006
On Mon, 26 Jun 2006, Benoit Demiddeleer wrote:
> First Tunnel (Clavister ver. 8.50):
> VPN Address: www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/>
> Connected lan: 10.10.4.64/26
>
> Ike settings:
> Encryption method: 3des
> Diffie-Helman group: 2
> Pre-shared secret: mysecret1
> Hash algorithm: sha1
> Ike Keep alive interval: disabled
> Ike lifetime: 3600
> IPSec Settings:
> Encryption method: 3des
> Diffie-Helman group: 2
> Hash algorithm: sha1-96
> Protocol: ESP
> IPSec Lifetime: 3600
>
> Second Tunnel (Cisco)
> VPN Address: aaa.bbb.ccc.ddd
> Connected lan: 57.57.0.0/16
> ISAKMP
> encryption 3des
> hash md5
> authentication pre-share
> lifetime 3600
> Pre-shared secret: mysecret2
> IPSEC
> transform-set: esp-3des esp-md5-hmac
> conn net-to-first
> type= tunnel
> left= ggg.hhh.iii.170
> leftnexthop= ggg.hhh.iii.169
> leftsubnet= 10.1.1.0/24
> right= www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/>
Be sure that right= only contains the IP address, no weird thing like URLS
> rightsubnet= 10.10.4.64/26
> auto= add
> authby= secret
> esp= 3des-sha1-96
> keyexchange=ike
> ike= 3des-sha1
> pfs= no
This seems to correspond with what you claim you need, yet phase 2 fails.
You should check the logs on the other end to see why it is rejection
the connection.
> conn net-to-second
> type= tunnel
> left= ggg.hhh.iii.170
> leftnexthop= ggg.hhh.iii.169
> leftsubnet= 10.1.1.0/24
> right= aaa.bbb.ccc.ddd
> rightsubnet= 57.57.0.0/16
> esp= 3des-md5-96
> keyexchange= ike
> authby=secret
> pfs= no
> auto= add
Perhaps add ike=3des-md5 here, though it does get past phase 1.
Again, check the other end's log on why it is rejection connections.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list