[Openswan Users] openSWAN to Cisco IOS
Christian Brechbühler
brechbuehler at gmail.com
Wed Nov 15 10:26:45 EST 2006
On 11/14/06, Peter McGill <petermcgill at goco.net> wrote:
>
> Main mode connects so it is probably correct, I'd stay away from
> aggressive mode.
OK.
> There's no ike line (I don't think openswan 2.4.4 supports it). I tried
> adding esp=3des-sha1, but with no luck (still stalls at
> > STATE_QUICK_I1). What should it be?
>
> It supports it, but it's usually unnecessary, without it openswan just
> accepts/trys anything.
> Sometimes though other vendors only listen to the first suggestion so the
> ike and esp settings become important.
> Above is equivalent to:
> ike=3des-sha1-modp1024
> You'd expect phase 2 to use the same like this
> esp=3des-sha1
> But that obviosly isn't working if you tried it, so the cisco must have
> different options for the different phases'
> that's highly irregular, his/her setup might be incorrect or they might
> not know what their doing.
> Either way, you still need to aggree on a phase 2 connect method as
> suggested by Paul and Andy as well.
That esp seems right after all. To summarize what I wrote to Frank Mayer,
They instructed us to set it up as follows,
left=Our_public_IP
leftsubnet=192.168.232.0/24
leftnexthop=%defaultroute
right=Their_public_IP <http://38.112.15.162>
rightsubnet=10.14.8.0/29
rightnexthop=%defaultroute
On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec SA
established. So Openswan seems happy, although no packets go through. I
suspect now it's a routing/firewalling issue.
I'm particulary confused about the meaning and use of the nexthop
parameters.
/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061115/1da2690c/attachment-0001.html
More information about the Users
mailing list