[Openswan Users] Openswan 2.3.1 vs Cisco 3000

Darren Ellis darren at ieworks.net
Tue Mar 21 14:41:25 CET 2006 

Hello,

We have a tunnel from Openswan 2.3.1 to a Cisco 3000 concentrator.  When 
we try to initiate the connection, we get as far as:

root at Clarklabs:/etc/ipsec.d# ipsec auto --up cisco
104 "cisco" #1: STATE_MAIN_I1: initiate
003 "cisco" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "cisco" #1: ignoring unknown Vendor ID payload 
[4048b7d56ebce88525e7de7f00d6c2d3c0000000]
106 "cisco" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
003 "cisco" #1: received Vendor ID payload [XAUTH]
003 "cisco" #1: ignoring unknown Vendor ID payload 
[c9abd75250455d00a0c855fec79c5eac]
003 "cisco" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "cisco" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "cisco" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
004 "cisco" #1: STATE_MAIN_I4: ISAKMP SA established
117 "cisco" #2: STATE_QUICK_I1: initiate

The connection will not get beyond this point when we initiate.  When 
they initiate, it seems to work properly.  They, however, aren't always 
easy to reach, so we'd like to be able to restore the tunnel without 
involving the other end.  Below is my config, edited to protect the guilty.

Thanks.

Darren


# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=all
        plutodebug=all
        uniqueids=yes
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16

conn %default
        authby=secret
        left=x.x.x.x
        leftnexthop=%defaultroute
        leftsubnet=x.x.x.x
        keyingtries=5
        pfs=no

# Add connections here.

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

conn cisco-old
        left=x.x.x.x
        leftnexthop=x.x.x.x
        leftsubnet=x.x.x.x/25
        right=x.x.x.x
        rightnexthop=x.x.x.x
        rightsubnet=x.x.x.x/16
        authby=secret
        keyexchange=ike
        keyingtries=0
        ikelifetime=8h
        pfs=yes
        #auto=add

conn cisco
        right=x.x.x.x
        rightnexthop=x.x.x.x
        rightsubnet=x.x.x.x./16
        keyexchange=ike
        ikelifetime=24h
        keyingtries=0
        pfs=no
        auto=add

More information about the Users mailing list