[Openswan Users] Antwort: Re: openSWAN to Cisco IOS

Frank.Mayer at knapp-systems.com Frank.Mayer at knapp-systems.com
Wed Nov 15 11:34:41 EST 2006 

Hi again,

try setting 
        leftnexthop=<ip address of your default gw>

It's just that OpenS/WAN sometimes seems to be unable to figure out 
routing correctly if you're using "%defaultroute".

OpenS/WAN usually adds a kernel route if you're starting a tunnel like
        route add <rightsubnet> gw <leftnexthop>, 
if you are "left", or
        route add <leftsubnet> gw <rightnexthop>,
if you are "right".
Usually, you need only one of them.
What might be contraproductive in your case (not sure, but on a hunch) is 
that you define both "leftnexthop" and "rightnexthop" to be your default 
gateway. 
If I was in your place, I'd define only leftnexthop.

Best Regards,

Frank Mayer
Team Manager Systems Engineering
UNIX Systems Administration, Network Administration
----------------------------------------------------
KNAPP Systemintegration GmbH
Waltenbachstrasse 9
8700 Leoben, Austria
----------------------------------------------------
Phone: +43 3842 805-921
Fax: +43 3842 82930-921
frank.mayer at knapp.com
www.knapp.com




"Christian Brechbühler" <brechbuehler at gmail.com> 
15.11.2006 16:26

An
"Peter McGill" <petermcgill at goco.net>
Kopie
users at openswan.org, frank.mayer at knapp.com
Thema
Re: openSWAN to Cisco IOS






On 11/14/06, Peter McGill <petermcgill at goco.net> wrote:
Main mode connects so it is probably correct, I'd stay away from 
aggressive mode.

OK. 

> There's no ike line (I don't think openswan 2.4.4 supports it). I tried 
adding esp=3des-sha1, but with no luck (still stalls at
> STATE_QUICK_I1).  What should it be?

It supports it, but it's usually unnecessary, without it openswan just 
accepts/trys anything.
Sometimes though other vendors only listen to the first suggestion so the 
ike and esp settings become important. 
Above is equivalent to:
    ike=3des-sha1-modp1024
You'd expect phase 2 to use the same like this
    esp=3des-sha1
But that obviosly isn't working if you tried it, so the cisco must have 
different options for the different phases' 
that's highly irregular, his/her setup might be incorrect or they might 
not know what their doing.
Either way, you still need to aggree on a phase 2 connect method as 
suggested by Paul and Andy as well.

That esp seems right after all.  To summarize what I wrote to Frank Mayer,
 
They instructed us to set it up as follows,
    left=Our_public_IP
    leftsubnet=192.168.232.0/24
    leftnexthop=%defaultroute
    right=Their_public_IP
    rightsubnet=10.14.8.0/29
    rightnexthop=%defaultroute

On a hunch I changed leftsubnet to 192.168.232.10/32 -- and BINGO! IPsec 
SA established.  So Openswan seems happy, although no packets go through. 
I suspect now it's a routing/firewalling issue.

I'm particulary confused about the meaning and use of the nexthop 
parameters.

/Christian

More information about the Users mailing list