[Openswan Users] openswan to Cisco 877

Vieri rentorbuy at yahoo.com
Thu May 3 07:16:31 EDT 2007 

Hi,

I am trying to connect an OpenS/WAN peer to a remote
Cisco 877.

>From the log messages I post below, what could be
causing the failure?
Could it be that the remote Cisco 877 is wanting to
use single DES (Diffie-Hellamn group 1) and OpenS/WAN
does not support it?
Or could there be a packet drop/firewall issue on the
remote site (Cisco)?
In other words, what can I "deduce" on my side when I
see messages such as "EVENT_RETRANSMIT" and "no
acceptable Oakley Transform"?

I do not have access to the remote Cisco but the
people who manage it sent me part of its configuration
settings:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key secret_password address
Openswan_WAN_IP
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TRANSET esp-3des
esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map IPSECMAP 20 ipsec-isakmp
 set peer Openswan_WAN_IP
 set transform-set TRANSET
 match address 120 

My openswan server's ipsec.conf is as follows:

# cat ipsec.conf

version 2.0    

config setup
        #plutodebug=all
        #nat_traversal=yes
        #
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nhelpers=0

include /etc/ipsec/ipsec.conf_CONN1

include /etc/ipsec/ipsec.d/examples/no_oe.conf

# cat ipsec.conf_CONN1

conn openswan-cisco877
    type=tunnel
    keyexchange=ike
    #keylife=1h
    ikelifetime=5h
    rekeyfuzz=50%
    rekeymargin=10s
    keyingtries=%forever
    dpddelay=5
    dpdtimeout=15
    dpdaction=restart
    disablearrivalcheck=yes
    pfs=no
    esp=3des-md5
    left=192.168.254.93
    leftnexthop=192.168.254.2
    right=RemoteCisco_WAN_IP
    rightsubnet=192.168.0.0/24
    leftsubnet=192.168.1.0/24
    authby=secret
    rightid=@ciscopeer
    leftid=@openswanpeer
    auto=start

# cat /var/log/messages

May  3 09:09:59 poorgos-gent1 ipsec_setup: Starting
Openswan IPsec 2.4.7...
May  3 09:09:59 poorgos-gent1 NET: Registered protocol
family 15
May  3 09:09:59 poorgos-gent1 Initializing XFRM
netlink socket
May  3 09:09:59 poorgos-gent1 ipsec_setup: NETKEY on
eth1 192.168.254.93/255.255.255.0 broadcast
192.168.254.255
May  3 09:10:00 poorgos-gent1 ipsec__plutorun: Unknown
default RSA hostkey scheme, not generating a default
hostkey
May  3 09:10:00 poorgos-gent1 ipsec__plutorun:
Starting Pluto subsystem...
May  3 09:10:00 poorgos-gent1 pluto[494]: Starting
Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)
May  3 09:10:00 poorgos-gent1 pluto[494]: Setting
NAT-Traversal port-4500 floating to off
May  3 09:10:00 poorgos-gent1 pluto[494]:    port
floating activation criteria nat_t=0/port_fload=1
May  3 09:10:00 poorgos-gent1 pluto[494]:   including
NAT-Traversal patch (Version 0.6c) [disabled]
May  3 09:10:00 poorgos-gent1 pluto[494]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
May  3 09:10:00 poorgos-gent1 pluto[494]: no helpers
will be started, all cryptographic operations will be
done inline
May  3 09:10:00 poorgos-gent1 pluto[494]: Using NETKEY
IPsec interface code on 2.6.19-gentoo-r5
May  3 09:10:00 poorgos-gent1 ipsec_setup: ...Openswan
IPsec started
May  3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/cacerts'
May  3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/aacerts'
May  3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/ocspcerts'
May  3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/crls'
May  3 09:10:00 poorgos-gent1 pluto[494]:   Warning:
empty directory
May  3 09:10:00 poorgos-gent1 pluto[494]: loading
secrets from "/etc/ipsec/ipsec.secrets"
May  3 09:10:01 poorgos-gent1 pluto[494]: added
connection description "openswan-cisco877"
May  3 09:10:01 poorgos-gent1 pluto[494]: listening
for IKE messages
May  3 09:10:01 poorgos-gent1 pluto[494]: adding
interface tap0/tap0 192.168.100.100:500
May  3 09:10:01 poorgos-gent1 pluto[494]: adding
interface eth1/eth1 192.168.254.93:500
May  3 09:10:01 poorgos-gent1 pluto[494]: adding
interface eth0/eth0 192.168.1.93:500
May  3 09:10:01 poorgos-gent1 pluto[494]: adding
interface lo/lo 127.0.0.1:500
May  3 09:10:01 poorgos-gent1 pluto[494]: adding
interface lo/lo ::1:500
May  3 09:10:01 poorgos-gent1 pluto[494]: forgetting
secrets
May  3 09:10:01 poorgos-gent1 pluto[494]: loading
secrets from "/etc/ipsec/ipsec.secrets"
May  3 09:10:01 poorgos-gent1 pluto[494]:
"openswan-cisco877" #1: initiating Main Mode
May  3 09:10:01 poorgos-gent1 ipsec__plutorun: 104
"openswan-cisco877" #1: STATE_MAIN_I1: initiate
May  3 09:10:01 poorgos-gent1 ipsec__plutorun:
...could not start conn "openswan-cisco877"
May  3 09:10:01 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
May  3 09:10:01 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: received and ignored
informational message
May  3 09:10:09 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: ignoring unknown Vendor ID
payload [439b59f8ba676c4c7737ae22eab8f582]
May  3 09:10:09 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port
floating is off
May  3 09:10:09 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
May  3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: responding to Main Mode
May  3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: Diffie-Hellamn group 1 is not
a supported modp group.  Attribute
OAKLEY_GROUP_DESCRIPTION
May  3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: no acceptable Oakley Transform
May  3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: sending notification
NO_PROPOSAL_CHOSEN to RemoteCisco_WAN_IP:500

# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.93
000 interface eth1/eth1 192.168.254.93
000 interface tap0/tap0 192.168.100.100
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES,
ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20
000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "openswan-cisco877":
192.168.1.0/24===192.168.254.93[@openswanpeer]---192.168.254.2...RemoteCisco_WAN_IP[@ciscopeer]===192.168.0.0/24;
prospective erouted; eroute owner: #0
000 "openswan-cisco877":     srcip=unset; dstip=unset;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "openswan-cisco877":   ike_life: 18000s;
ipsec_life: 28800s; rekey_margin: 10s; rekey_fuzz:
50%; keyingtries: 0
000 "openswan-cisco877":   policy:
PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+UP; prio:
24,24; interface: eth1; encap: esp;
000 "openswan-cisco877":   dpd: action:restart;
delay:5; timeout:15;
000 "openswan-cisco877":   newest ISAKMP SA: #0;
newest IPsec SA: #0;
000
000 #7: "openswan-cisco877":500 STATE_MAIN_I1 (sent
MI1, expecting MR1); EVENT_RETRANSMIT in 5s; nodpd
000 #7: pending Phase 2 for "openswan-cisco877"
replacing #0
000


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list