[Openswan Users] Configuration problems with Cisco and Clavister

Jim Barber jim.barber at ddihealth.com
Tue Jun 27 09:20:51 CEST 2006 

I recently set up OpenSWAN connections to a Cisco box and a Fortigate 
network appliance.
The Cisco and Fortigate boxes could bring up the tunnel okay, but if I 
tried to bring the tunnel up it would fail during the Phase 2 part 
complaining about a bad proposal.
The debugging logs on the Fortigate were rubbish so I didn't sort the 
problem out until I had solved it for the Cisco box.
After looking through debug logs sent to me by the sysadmin of the Cisco 
box, I found that it was unhappy with the ESP settings.
When I first got it working I found I could get it running by specifying:

esp=3des-md5-modp1536

And for the fortigate box it worked when I added:

esp=3des-sha1-modp1536

By default the Linux box was trying to use esp=aes

So I thought I'd simplify both of them and see what would happen if I 
just set:

esp=3des

This worked for both of the boxes, and it correctly negotiated the other 
two parameters, so perhaps try that.

Also in my setup, I didn't specify the leftnexthop and rightnexthop values.
Instead I used leftsourceip, specifying the private IP assigned to an 
interface on my gateway box that is connected to the network that the 
tunnel is connected to.
If that makes sense?

I'll give an example of my connection that likes to a Cisco box.

conn cisco
auto=start
authby=secret
compress=yes
esp=3des
keyingtries=0
left=xxx.xxx.xxx.xxx
leftsourceip=10.128.0.1
leftsubnet=10.128.0.0/16
right=yyy.yyy.yyy.yyy
rightsubnet=10.5.0.0/23

Where the OpenSWAN box has a public IP of xxx.xxx.xxx.xxx and behind it 
is a 10.128.0.0/16 network.
10.128.0.1 is bound to the OpenSWAN box itself.
The Cisco box has a public IP address of yyy.yyy.yyy.yyy and behind it 
is a 10.5.0.0/23 network.

Note that I have pfs=yes because we enabled that on the Cisco box as 
well, but you may still need pfs=no.

Good luck.

----------
Jim Barber
DDI Health


Benoit Demiddeleer wrote:
>
> Hello,
>
> I’m trying to setup Openswan installed on Debian Sarge as client for a 
> Cisco firewall and for a Clavister.
>
> Both servers are using shared secrets which are already inserted in 
> the ipsec.secrets file.
>
> Any help will be very appreciated as I’m trying to initiate the 
> connection for 2 days now…
>
> //
>
> Ipsec.conf
>
> /version 2.0 # conforms to second version of ipsec.conf specification/
>
> /config setup/
>
> / /
>
> /#Disable Opportunistic Encryption/
>
> /include /etc/ipsec.d/examples/no_oe.conf/
>
> / /
>
> /conn net-to-first/
>
> / type= tunnel/
>
> / left= ggg.hhh.iii.170/
>
> / leftnexthop= ggg.hhh.iii.169/
>
> / leftsubnet= 10.1.1.0/24/
>
> / right= //www.xxx.yyy.zzz <http://www.xxx.yyy.zzz/>///
>
> / rightsubnet= 10.10.4.64/26/
>
> / auto= add/
>
> / authby= secret/
>
> / esp= 3des-sha1-96/
>
> / keyexchange=ike/
>
> / ike= 3des-sha1/
>
> / pfs= no/
>
> / /
>
> / /
>
> /conn net-to-second/
>
> / type= tunnel/
>
> / left= ggg.hhh.iii.170/
>
> / leftnexthop= ggg.hhh.iii.169/
>
> / leftsubnet= 10.1.1.0/24/
>
> / right= aaa.bbb.ccc.ddd/
>
> / rightsubnet= 57.57.0.0/16/
>
> / esp= 3des-md5-96/
>
> / keyexchange= ike/
>
> / authby=secret/
>
> / pfs= no/
>
> / auto= add/
>
> So I meet different problems with both tunnels but I running out of ideas.
>
> Thank in advance to people who will help me to solve those problems.
>
> Best regards,
>
> Benoît Demiddeleer
>

More information about the Users mailing list