[Openswan Users] [NEWBIE] Help needed - Openswan 2.2 - Sarge 2.4.27 <-> Cisco Pix

Mathieu Chappuis mathieu.chappuis.lists at gmail.com
Fri Nov 24 03:44:13 EST 2006 

Dears,

Would you help me ? I can't have a working tunnel using openswan 2.2
talking to a Cisco Pix.

The pix works with other setup/routers, i.e. Zyxel Prestige, for other
tunnels. (I dont substitue openswan to a working Zyxel)

My openswan router run a Debian Sarge 2.4.27, Openswan IPsec
U2.2.0/K2.4.27-1-386.

Route is as follow :

Lan (192.138.27.0/24)-- Debian Openswan(213.1.2.3) ..... (81.4.5.6
Pix) -- (172.16.15.2 Http Server)

I poke around with various changes in my ipsec.conf, no way with this error :

packet from 81.4.5.6:500: ignoring informational payload, type
NO_PROPOSAL_CHOSEN

That's my first openswan setup, I know there's now billion of
misconfig possible, any advise appreciated.

If you don't want read and diag the configs files bellow, I've some
background questions.

My linux is on DSL, and the %default route is detected as the P-t-P in
the ifconfig output.

ppp0      Link encap:Point-to-Point Protocol
          inet addr:213.1.2.3  P-t-P:62.4.16.248  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1

Is this address (62.4.16.248) to be used as the leftnexthop ? I've
tried for my side, without result.
But what about the other side 81.4.5.6. Is the provider router IP to
be indicated as rightnexthop ?
For now I use this remote address as direct.

For define the remote lan, on a previous setup with Zyxel i've used
SINGLE ADDRESS, not range.
If I remember right that was not working with a /32. I got an error
with openswan if I use à single address rightsubnet=172.16.15.2


Here's some of my setup files :

IPSEC.CONF Values commented have been also tried
--------------------------------------------------
version	2.0

config setup
       interfaces=%defaultroute
       klipsdebug=all
       plutodebug=none
       myid=213.1.2.3

conn vpn
       type=tunnel
       left=213.1.2.3
       leftsubnet=192.168.27.0/24   # Defined as DONALD on pix side.
       right=81.4.5.6
       rightsubnet=172.16.15.2/32
       esp=3des-sha1-1024    #Also tried with 3des-sha1
       keyexchange=ike
       # keylife=1d
       authby=secret
       pfs=no #yes
       auto=add
       # spi=0x0

IPSEC.SECRETS
---------------
213.1.2.3  81.4.5.6: PSK "foobar"

PIX SETUP with only concerned options
--------------------------------------
PIX Version 6.2(2)
name 172.16.15.2 MyHTTPSERVER
name 192.168.27.0 DONALD
access-list inside_access_in permit tcp host MyHTTPSERVER gt 1023
DONALD 255.255.255.0 object-group standard-tcp
access-list inside_access_in permit udp host MyHTTPSERVER gt 1023
DONALD 255.255.255.0 object-group standard-udp
access-list inside_access_in permit ip 172.16.15.0 255.255.255.0
DONALD 255.255.255.0
access-list inside_nat0_outbound permit ip host MyHTTPSERVER DONALD
255.255.255.0
access-list outside_cryptomap_25 permit ip host MyHTTPSERVER DONALD
255.255.255.0
ip address outside 81.4.5.6 255.255.255.248
ip address inside 172.16.15.248 255.255.255.0
pdm location MyHTTPSERVER 255.255.255.255 inside
pdm location DONALD 255.255.255.0 outside
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 25 ipsec-isakmp
crypto map outside_map 25 match address outside_cryptomap_25
crypto map outside_map 25 set peer 213.1.2.3
crypto map outside_map 25 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address 213.1.2.3 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

NETFILTER I'm using shorewall
-----------------------------
-A fw2net -d 81.4.5.6 -p esp -j ACCEPT
-A fw2net -d 81.4.5.6 -p ah -j ACCEPT
-A fw2net -d 81.4.5.6 -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT
-A net2fw -s 81.4.5.6 -p esp -j ACCEPT
-A net2fw -s 81.4.5.6 -p ah -j ACCEPT
-A net2fw -s 81.4.5.6 -p udp -m udp --dport 500 -m state --state NEW -j ACCEPT

Many thanks for your help.

Ciao'

More information about the Users mailing list