[Openswan Users] Configuration problems with Cisco and Clavister

Jim Barber jim.barber at ddihealth.com
Tue Jun 27 09:22:39 CEST 2006


Sorry, my stupid email client messed up all my indentation...
I'll try re-indenting it.

----------------

I recently set up OpenSWAN connections to a Cisco box and a Fortigate network appliance.
The Cisco and Fortigate boxes could bring up the tunnel okay, but if I tried to bring the tunnel up it would fail during the Phase 2 part complaining about a bad proposal.
The debugging logs on the Fortigate were rubbish so I didn't sort the problem out until I had solved it for the Cisco box.
After looking through debug logs sent to me by the sysadmin of the Cisco box, I found that it was unhappy with the ESP settings.

When I first got it working I found I could get it running by specifying:

	esp=3des-md5-modp1536

And for the fortigate box it worked when I added:

	esp=3des-sha1-modp1536

By default the Linux box was trying to use esp=aes

So I thought I'd simplify both of them and see what would happen if I just set:

	esp=3des

This worked for both of the boxes, and it correctly negotiated the other two parameters, so perhaps try that.

Also in my setup, I didn't specify the leftnexthop and rightnexthop values.
Instead I used leftsourceip, specifying the private IP assigned to an interface on my gateway box that is connected to the network that the tunnel is connected to.
If that makes sense?

I'll give an example of my connection that likes to a Cisco box.

conn cisco
	auto=start
	authby=secret
	compress=yes
	esp=3des
	keyingtries=0
	left=xxx.xxx.xxx.xxx
	leftsourceip=10.128.0.1
	leftsubnet=10.128.0.0/16
	right=yyy.yyy.yyy.yyy
	rightsubnet=10.5.0.0/23

Where the OpenSWAN box has a public IP of xxx.xxx.xxx.xxx and behind it is a 10.128.0.0/16 network.
10.128.0.1 is bound to the OpenSWAN box itself.
The Cisco box has a public IP address of yyy.yyy.yyy.yyy and behind it is a 10.5.0.0/23 network.

Note that I have pfs=yes because we enabled that on the Cisco box as well, but you may still need pfs=no.

Good luck.

----------
Jim Barber
DDI Health


More information about the Users mailing list