[Openswan Users] OpenSwan 2.4.7 to Cisco 3745 - no traffic
Christian Brechbühler
brechbuehler at gmail.com
Wed Nov 29 12:04:52 EST 2006
On 11/24/06, Krzysztof Wiórkiewicz <krwi at softwaremind.pl> wrote:
>
> Now after brought up ipsec we have:
> 004 "cisco1" #619: STATE_QUICK_I2: sent QI2, IPsec SA established
>
{ESP=>0xa26168af <0xb107fa76 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
[...]
when we pinging any other tunnel (for example internal_ip_5):
>
> # tcpdump -n -i our_external_interface host cisco_external_ip or host
> internal_ip_5
> 14:40:23.373283 IP our_external_ip > cisco_external_ip:
> ESP(spi=0xa26168af,seq=0x1), length 92
> 14:40:28.812884 IP our_external_ip > cisco_external_ip:
> ESP(spi=0xa26168af,seq=0x2), length 92
>
> as can you see any response from Cisco router.
I'm also struggling with connecting to a Cisco router (from Linux Openswan
U2.4.4/K2.6.11-gentoo-r5 (netkey)). You are a big step ahead of me.
How did you get Openswan to use the exact SPI (0xa26168af) that was
negotiated when establishing the IPsec SA? Our openswan always flips a few
bits in the SPI it puts in the outgoing ESP packets and then the Cisco
doesn't know the altered SPI, so nothing works.
The only difference to your config is that we use esp=3des-sha1 (on both
ends) instead of 3des-md5-96.
Thanks,
/Christian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061129/475cb3bc/attachment.html
More information about the Users
mailing list