[Openswan Users] Tunnel to Cisco 1721

Andy Gay andy at andynet.net
Thu Sep 21 15:08:22 EDT 2006 

On Thu, 2006-09-21 at 20:48 +0200, Markus Winkler wrote:
> Hi,
> 
> I want to establish a tunnel from Openswan 2.4.5 to a Cisco 1721. It's a
> tunnel with PSK, 3DES-MD5, PFS. We compared all the relevant settings
> (lifetime, psk etc.) all is identical.
> 
> The problem:
> 
> Openswan-log:
> 
> pluto[4128]: "peer" #2: initiating Main Mode
> 
> pluto[4128]: "peer" #2: transition from state STATE_MAIN_I1 to state
> STATE_MAIN_I2
> pluto[4128]: "peer" #2: STATE_MAIN_I2: sent MI2, expecting MR2
> 
> pluto[4128]: "peer" #2: received Vendor ID payload [Cisco-Unity]
> 
> pluto[4128]: "peer" #2: received Vendor ID payload [Dead Peer Detection]
> 
> pluto[4128]: "peer" #2: ignoring unknown Vendor ID payload
> [4f7215dfac6272a13c5177df4cc28213]
> pluto[4128]: "peer" #2: received Vendor ID payload [XAUTH]
> 
> pluto[4128]: "peer" #2: I did not send a certificate because I do not
> have one.
> pluto[4128]: "peer" #2: transition from state STATE_MAIN_I2 to state
> STATE_MAIN_I3
> pluto[4128]: "peer" #2: STATE_MAIN_I3: sent MI3, expecting MR3
> 
> pluto[4128]: "peer" #2: Informational Exchange message is invalid
> because it has a Message ID of 0
> pluto[4128]: "peer" #2: Informational Exchange message is invalid
> because it has a Message ID of 0
> pluto[4128]: "peer": terminating SAs using this connection
> 
> pluto[4128]: "peer" #2: deleting state (STATE_MAIN_I3)
> 
> 
> The Cisco-box says:
> %CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from xx.xx.xx.xx was not
> encrypted and it should've been.
> 
> Cisco says:
> Explanation: A portion of the IKE exchange takes place using clear text,
> and a portion is encrypted. This message should have been encrypted but
> was not.
> Recommended Action: Contact the remote peer.
> 
> Hmm, the remote peer is me ... ;-)
> 
> Something's wrong in phase1, but what? I searched and searched, but
> cannot find a solution.
> 
> Any ideas? Did anyone see such error-messages?

Possibly your PSK doesn't match. Be careful with special characters in
the key. Perhaps try a test with something simple like "test1234".

Also, make sure you disable xauth and config mode on the Cisco. Not sure
about a 1721, on a PIX you do that in the 'isakmp key' statement,
something like:

isakmp key ******** address <peer IP> netmask 255.255.255.255 no-xauth no-config-mode

> 
> Thanks and
> kind regards,
> 
> Markus
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list