[Openswan Users] openswan & cicsco ipv6 ipsec
jungfo
jungfo at innopiatech.com
Thu Dec 6 20:44:25 EST 2007
Hello.
We are using Openswan-2.4.7 on Linux-2.6.20 NETKEY for our router products.
I've tried to build a ipv6 tunnel between openswan and cisco 3825. But I've
got a strange
error message. when I tried to connect to the vpn gateway with cisco.
|--------------------| 2007::11/64
|--------------------|
any subnet ------ | Openswan | ----- IPsec Tunnel ----- | Cisco
3825 | ------ any subnet
100::1/64 | ________________| 2007::22/64 |
________________| 200::1/64
Openswan Error : peer client ID payload ID_IPV6_ADDR_SUBNET wrong length in
Quick I1
we tried to build the ipv6 tunnel by the instruction in the following cisco
website pages.
http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chap
ter09186a0080573b9c.html
------------------------- Openswan config
---------------------------------------------------------
bash-3.00# cat /etc/ipsec.conf
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
version 2.0
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces="ipsec0=eth0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
# Close down old connection when new one using same ID shows up.
uniqueids=yes
#nat_traversal=yes
# virtual_private=%v4:200.0.0.0/24
# defaults for subsequent connection descriptions
# (these defaults will soon go away)
conn %default
keyingtries=0
disablearrivalcheck=no
#authby=rsasig
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
authby=secret
rekeymargin=10s
# dpddelay=5
# dpdtimeout=5
# dpdaction=clear
# connection description for opportunistic encryption
# (requires KEY record in your DNS reverse map; see doc/opportunism.howto)
# for initiator only OE, uncomment and uncomment this
# after putting your key in your forward map
#leftid=@myhostname.example.com
# uncomment this next line to enable it
#auto=route
# sample VPN connection
# Left security gateway, subnet behind it, next hop toward right.
# Right security gateway, subnet behind it, next hop toward left.
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
#auto=add
# leftsubnet=100::1/64
# rightsubnet=200::1/64
conn test
left=2007::11
leftnexthop=2007::22
right=2007::22
type=tunnel
connaddrfamily=ipv6
auto=start
authby=secret
auth=esp
esp=3des-md5
keylife=28000s
ikelifetime=3600s
rekey=yes
keyingtries=0
ike=3des-md5
aggrmode=no
pfs=yes
pfsgroup=modp1536
dpdaction=hold
dpdtimeout=120
dpddelay=30
keyexchange=ike
----------------------------------------------------------------------------
------------------------------
Thank you in advance.
Jungho Hwang
InnopiaTech
Software Engineer
Development Part 1.
Tel 02-561-8202 Ext.222 Mobile 010-2331-1008
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071207/7a48ab29/attachment.html
More information about the Users
mailing list