[Openswan Users] openSWAN to Cisco IOS

Peter McGill petermcgill at goco.net
Tue Nov 14 14:16:13 EST 2006 

> > trying to connect to a Cisco (no idea what model), we get to this:
> > Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
> > Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type NO_PROPOSAL_CHOSEN
> >
> > The owner of the Cisco thing tell us that cisco doesn't like quick mode, and
> > that we have to disable quick mode in openswan.
> >
> > Does this sound right?  And if yes, how would I do it?

> On 11/14/06, Paul Wouters < paul at xelerance.com> wrote:
> Ask the cisco person for the following:

> Mode (main or aggressive)
> PFS (yes or no)
> Phase 1 (3des/aes md5/sh1)
> Phase 2 (3des/aes md5/sh1)
> modp (aka DiffieHellman) group
> src/dst (aka left/right) type and value of ID's (IP, string, X.509 DN)
> subnets for srd/st (aka left/right)

> Re Mode: We're using main mode, and get through all 4 states, up to

> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}

> And then to I1.
> I'd assume the main mode is right -- could it still be "aggressive" instead?

Main mode connects so it is probably correct, I'd stay away from aggressive mode.

> Still trying to get the other params...

> > What does your ISAKMP SA established log line say?
> > Use the same encryption method in your esp line.

>  From that log line (quoted above) I get

> auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192
> prf=oakley_sha
> group=modp1024
> There's no ike line (I don't think openswan 2.4.4 supports it). I tried adding esp=3des-sha1, but with no luck (still stalls at 
> STATE_QUICK_I1).  What should it be?

It supports it, but it's usually unnecessary, without it openswan just accepts/trys anything.
Sometimes though other vendors only listen to the first suggestion so the ike and esp settings become important.
Above is equivalent to:
    ike=3des-sha1-modp1024
You'd expect phase 2 to use the same like this
    esp=3des-sha1
But that obviosly isn't working if you tried it, so the cisco must have different options for the different phases'
that's highly irregular, his/her setup might be incorrect or they might not know what their doing.
Either way, you still need to aggree on a phase 2 connect method as suggested by Paul and Andy as well.

Peter

More information about the Users mailing list