[Openswan Users] openSWAN to Cisco IOS

Christian Brechbühler brechbuehler at gmail.com
Tue Nov 14 13:53:49 EST 2006 

I really appreciate all your help.

On Tue, 14 Nov 2006, I wrote:

> trying to connect to a Cisco (no idea what model), we get to this:
> Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
> Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
NO_PROPOSAL_CHOSEN
>
> The owner of the Cisco thing tell us that cisco doesn't like quick mode,
and
> that we have to disable quick mode in openswan.
>
> Does this sound right?  And if yes, how would I do it?

On 11/14/06, Paul Wouters <paul at xelerance.com> wrote:
>
> Ask the cisco person for the following:
>
> Mode (main or aggressive)
> PFS (yes or no)
> Phase 1 (3des/aes md5/sh1)
> Phase 2 (3des/aes md5/sh1)
> modp (aka DiffieHellman) group
> src/dst (aka left/right) type and value of ID's (IP, string, X.509 DN)
> subnets for srd/st (aka left/right)


Re Mode: We're using main mode, and get through all 4 states, up to

> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>
And then to I1.
I'd assume the main mode is right -- could it still be "aggressive" instead?

Still trying to get the other params...


On 11/14/06, Andy Gay <andy at andynet.net> wrote:
>
> > Does this sound right?
> No. Quick mode is also called phase 2, it's where the IPsec SA gets set
> up.


That's what I suspected.

As with the previous poster, you evidently have a mismatch with your
> phase 2 parameters. Check that everything matches.


OK.


On 11/14/06, Peter McGill <petermcgill at goco.net> wrote:

> You obviously have your authentication (phase 1/main mode) configuration
> alright, now you need to match your encryption/tunnel/ipsec/phase 2/quick
> mode,
> configurations.
> if you have an ike= line in your openswan conf, try adding a similar esp=
> line.
> For example,
> if ike=3des-sha1-modp1024
> set esp=3des-sha1
> The real problem is the "NO_PROPOSAL_CHOSEN" which means your
> not aggreeing on what encryption method to use.
> What does your ISAKMP SA established log line say?
> Use the same encryption method in your esp line.


 From that log line (quoted above) I get

   - auth=OAKLEY_PRESHARED_KEY
   - cipher=oakley_3des_cbc_192
   - prf=oakley_sha
   - group=modp1024

There's no ike line (I don't think openswan 2.4.4 supports it). I tried
adding esp=3des-sha1, but with no luck (still stalls at STATE_QUICK_I1).
What should it be?

Thanks again,
/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061114/49ae98fb/attachment.html

More information about the Users mailing list