[Openswan Users] lan2lan to cisco asa

[Paul Wouters]

On Fri, 2 Feb 2007, Wappie MD wrote:

> I want to start a lan2lan connection from a openswan to a cisco asa
> 5000 series firewall based on plain ipsec. I could not get a
> connection going so I wondered if you can spot anything wrong in my
> configs files.
> Also, is it allowed to have nat_traversal=no in a conn section since I
> need to have nat_traversal=yes in the config section for my other vpn
> connections where i *do* want nat_traversal=yes.

No. But nat_traversal= only kicks in when you're being NAT'ed, which if
you are, you will need it, and if you aren't, it will not do anything.

>         left=114.114.0.110
>         leftsubnet=169.254.0.0/16
>         leftnexthop=192.168.13.2

lefthop is supposed to be your gateway, but 192.168.13.2 isnt on the same net as 114.114.0.110

>         leftcert=concentrator-cert.pem
>         right=%any
>         rightsubnet=192.168.1.0/24
>         rightcert=testing-cert.pem
>         rightca=%same
>         auto=add
>         ike=3des-md5
>         esp=3des-md5
>         nat_traversal=no

It's a global option, not a per-conn option, so this conn did not load properly.

>         type=tunnel
>         authby=secret|rsasig

I personally don't use the "|" syntax. Pick one for your tests and change it later on.

What does the log show?

Paul