[Openswan Users] Antwort: Re: openSWAN to Cisco IOS

Tue Nov 14 13:56:48 EST 2006

Hello,

the suggestion below to use the same encryption/authentication settings 
for esp as for isakmp can be helpful but is anything but guaranteed to 
work.
Do ask the Cisco-admin for the "transform-set" to be used, since this 
describes the settings you should enter at "esp=".

Cisco IOS does (at least on routers, I don't know about PIX and the like) 
define different "transform sets" to be used for the different peers.
The admin should give you the transform-set definition that he/she's 
defined to be used for your tunnel.
Example:
        crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
would define to use triple des for encryption, sha-1 for authentication, 
and no compression.
Also be aware of the fact that Cisco IOS (again: on routers) can define a 
different DH-group for pfs than for ISAKMP, and also does define by 
default esp keylife in both seconds and kilobytes (rather large value)! 
I did not yet find a way to not "undefine" that lifetime in kilobytes, as 
I on the other hand did not yet find a way to define both lifetimes in 
OpenS/Wan - maybe I did not read the whole of the documentation?

If need be, you can mail me for translation between Cisco-IOS- and 
OpenS/Wan settings: I do administer both variants.

Best Regards,

Frank Mayer
UNIX Systems Administration / Network Administration
KNAPP Systemintegration GmbH

users-bounces at openswan.org schrieb am 14.11.2006 18:36:05:

> > Similar problem here: trying to connect to a Cisco (no idea what 
model), we
> > get to this:
> > Nov 14 11:09:03 [pluto] "NYC" #6: initiating Quick Mode
> > PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#5}
> > Nov 14 11:09:03 [pluto] "NYC" #5: ignoring informational payload, type
> > NO_PROPOSAL_CHOSEN
> 
> > The owner of the Cisco thing tell us that cisco doesn't like 
quickmode, and
> > that we have to disable quick mode in openswan.
> 
> I believe your Cisco owner is mistaken, as far as I know, all IPSec uses
> Quick Mode, although Cisco might not refer to it by that name.
> You obviously have your authentication (phase 1/main mode) configuration
> alright, now you need to match your encryption/tunnel/ipsec/phase 
> 2/quick mode,
> configurations.
> if you have an ike= line in your openswan conf, try adding a similaresp= 
line.
> For example,
> if ike=3des-sha1-modp1024
> set esp=3des-sha1
> The real problem is the "NO_PROPOSAL_CHOSEN" which means your
> not aggreeing on what encryption method to use.
> What does your ISAKMP SA established log line say?
> Use the same encryption method in your esp line.
> 
> Peter McGill
> Software Developer / Network Administrator
> Gra Ham Energy Limited
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155