[Openswan Users] openswan & cicsco ipv6 ipsec

jungfo jungfo at innopiatech.com
Thu Dec 6 20:44:25 EST 2007


Hello.

 

 

We are using Openswan-2.4.7 on Linux-2.6.20 NETKEY for our router products.

I've tried to build a ipv6 tunnel between openswan and cisco 3825. But I've
got a strange 

error message. when I tried to connect to the vpn gateway with cisco.

 

 

 

                         |--------------------| 2007::11/64
|--------------------|

    any subnet ------ |    Openswan   | ----- IPsec Tunnel ----- |    Cisco
3825  | ------ any subnet

              100::1/64 | ________________|              2007::22/64 |
________________| 200::1/64

 

 

Openswan Error : peer client ID payload ID_IPV6_ADDR_SUBNET wrong length in
Quick I1

 

we tried to build the ipv6 tunnel by the instruction in the following cisco
website pages.

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
ter09186a0080573b9c.html

 

 

------------------------- Openswan config
---------------------------------------------------------

bash-3.00# cat /etc/ipsec.conf

# /etc/ipsec.conf - FreeS/WAN IPsec configuration file

 

# More elaborate and more varied sample configurations can be found

# in FreeS/WAN's doc/examples file, and in the HTML documentation.

 

version 2.0

 

# basic configuration

config setup

        # THIS SETTING MUST BE CORRECT or almost nothing will work;

        # %defaultroute is okay for most simple cases.

        interfaces="ipsec0=eth0"

        # Debug-logging controls:  "none" for (almost) none, "all" for lots.

        klipsdebug=none

        plutodebug=none

        # Use auto= parameters in conn descriptions to control startup
actions.

        # Close down old connection when new one using same ID shows up.

        uniqueids=yes

        #nat_traversal=yes

        #       virtual_private=%v4:200.0.0.0/24

 

 

 

# defaults for subsequent connection descriptions

# (these defaults will soon go away)

conn %default

        keyingtries=0

        disablearrivalcheck=no

        #authby=rsasig

        leftrsasigkey=%dnsondemand

        rightrsasigkey=%dnsondemand

        authby=secret

        rekeymargin=10s

#       dpddelay=5

#       dpdtimeout=5

#       dpdaction=clear

 

 

 

# connection description for opportunistic encryption

# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)

        # for initiator only OE, uncomment and uncomment this

        # after putting your key in your forward map

        #leftid=@myhostname.example.com

        # uncomment this next line to enable it

        #auto=route

# sample VPN connection

        # Left security gateway, subnet behind it, next hop toward right.

        # Right security gateway, subnet behind it, next hop toward left.

        # To authorize this connection, but not actually start it, at
startup,

        # uncomment this.

        #auto=add

#       leftsubnet=100::1/64

#       rightsubnet=200::1/64

conn test

        left=2007::11

        leftnexthop=2007::22

        right=2007::22

        type=tunnel

        connaddrfamily=ipv6

        auto=start

        authby=secret

        auth=esp

        esp=3des-md5

        keylife=28000s

        ikelifetime=3600s

        rekey=yes

        keyingtries=0

        ike=3des-md5

        aggrmode=no

        pfs=yes

        pfsgroup=modp1536

        dpdaction=hold

        dpdtimeout=120

        dpddelay=30

        keyexchange=ike

----------------------------------------------------------------------------
------------------------------

 

 

Thank you in advance.

 

 

 

Jungho Hwang

 

InnopiaTech

Software Engineer

Development Part 1.

Tel 02-561-8202 Ext.222  Mobile 010-2331-1008

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071207/7a48ab29/attachment.html 


More information about the Users mailing list