[Openswan Users] openswan to Cisco 877
Vieri
rentorbuy at yahoo.com
Thu May 3 07:16:31 EDT 2007
Hi,
I am trying to connect an OpenS/WAN peer to a remote
Cisco 877.
>From the log messages I post below, what could be
causing the failure?
Could it be that the remote Cisco 877 is wanting to
use single DES (Diffie-Hellamn group 1) and OpenS/WAN
does not support it?
Or could there be a packet drop/firewall issue on the
remote site (Cisco)?
In other words, what can I "deduce" on my side when I
see messages such as "EVENT_RETRANSMIT" and "no
acceptable Oakley Transform"?
I do not have access to the remote Cisco but the
people who manage it sent me part of its configuration
settings:
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key secret_password address
Openswan_WAN_IP
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TRANSET esp-3des
esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map IPSECMAP 20 ipsec-isakmp
set peer Openswan_WAN_IP
set transform-set TRANSET
match address 120
My openswan server's ipsec.conf is as follows:
# cat ipsec.conf
version 2.0
config setup
#plutodebug=all
#nat_traversal=yes
#
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
nhelpers=0
include /etc/ipsec/ipsec.conf_CONN1
include /etc/ipsec/ipsec.d/examples/no_oe.conf
# cat ipsec.conf_CONN1
conn openswan-cisco877
type=tunnel
keyexchange=ike
#keylife=1h
ikelifetime=5h
rekeyfuzz=50%
rekeymargin=10s
keyingtries=%forever
dpddelay=5
dpdtimeout=15
dpdaction=restart
disablearrivalcheck=yes
pfs=no
esp=3des-md5
left=192.168.254.93
leftnexthop=192.168.254.2
right=RemoteCisco_WAN_IP
rightsubnet=192.168.0.0/24
leftsubnet=192.168.1.0/24
authby=secret
rightid=@ciscopeer
leftid=@openswanpeer
auto=start
# cat /var/log/messages
May 3 09:09:59 poorgos-gent1 ipsec_setup: Starting
Openswan IPsec 2.4.7...
May 3 09:09:59 poorgos-gent1 NET: Registered protocol
family 15
May 3 09:09:59 poorgos-gent1 Initializing XFRM
netlink socket
May 3 09:09:59 poorgos-gent1 ipsec_setup: NETKEY on
eth1 192.168.254.93/255.255.255.0 broadcast
192.168.254.255
May 3 09:10:00 poorgos-gent1 ipsec__plutorun: Unknown
default RSA hostkey scheme, not generating a default
hostkey
May 3 09:10:00 poorgos-gent1 ipsec__plutorun:
Starting Pluto subsystem...
May 3 09:10:00 poorgos-gent1 pluto[494]: Starting
Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)
May 3 09:10:00 poorgos-gent1 pluto[494]: Setting
NAT-Traversal port-4500 floating to off
May 3 09:10:00 poorgos-gent1 pluto[494]: port
floating activation criteria nat_t=0/port_fload=1
May 3 09:10:00 poorgos-gent1 pluto[494]: including
NAT-Traversal patch (Version 0.6c) [disabled]
May 3 09:10:00 poorgos-gent1 pluto[494]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
(ret=0)
May 3 09:10:00 poorgos-gent1 pluto[494]: no helpers
will be started, all cryptographic operations will be
done inline
May 3 09:10:00 poorgos-gent1 pluto[494]: Using NETKEY
IPsec interface code on 2.6.19-gentoo-r5
May 3 09:10:00 poorgos-gent1 ipsec_setup: ...Openswan
IPsec started
May 3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/cacerts'
May 3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/aacerts'
May 3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/ocspcerts'
May 3 09:10:00 poorgos-gent1 pluto[494]: Changing to
directory '/etc/ipsec/ipsec.d/crls'
May 3 09:10:00 poorgos-gent1 pluto[494]: Warning:
empty directory
May 3 09:10:00 poorgos-gent1 pluto[494]: loading
secrets from "/etc/ipsec/ipsec.secrets"
May 3 09:10:01 poorgos-gent1 pluto[494]: added
connection description "openswan-cisco877"
May 3 09:10:01 poorgos-gent1 pluto[494]: listening
for IKE messages
May 3 09:10:01 poorgos-gent1 pluto[494]: adding
interface tap0/tap0 192.168.100.100:500
May 3 09:10:01 poorgos-gent1 pluto[494]: adding
interface eth1/eth1 192.168.254.93:500
May 3 09:10:01 poorgos-gent1 pluto[494]: adding
interface eth0/eth0 192.168.1.93:500
May 3 09:10:01 poorgos-gent1 pluto[494]: adding
interface lo/lo 127.0.0.1:500
May 3 09:10:01 poorgos-gent1 pluto[494]: adding
interface lo/lo ::1:500
May 3 09:10:01 poorgos-gent1 pluto[494]: forgetting
secrets
May 3 09:10:01 poorgos-gent1 pluto[494]: loading
secrets from "/etc/ipsec/ipsec.secrets"
May 3 09:10:01 poorgos-gent1 pluto[494]:
"openswan-cisco877" #1: initiating Main Mode
May 3 09:10:01 poorgos-gent1 ipsec__plutorun: 104
"openswan-cisco877" #1: STATE_MAIN_I1: initiate
May 3 09:10:01 poorgos-gent1 ipsec__plutorun:
...could not start conn "openswan-cisco877"
May 3 09:10:01 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: ignoring informational
payload, type NO_PROPOSAL_CHOSEN
May 3 09:10:01 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: received and ignored
informational message
May 3 09:10:09 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: ignoring unknown Vendor ID
payload [439b59f8ba676c4c7737ae22eab8f582]
May 3 09:10:09 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but port
floating is off
May 3 09:10:09 poorgos-gent1 pluto[494]: packet from
RemoteCisco_WAN_IP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
floating is off
May 3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: responding to Main Mode
May 3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: Diffie-Hellamn group 1 is not
a supported modp group. Attribute
OAKLEY_GROUP_DESCRIPTION
May 3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: no acceptable Oakley Transform
May 3 09:10:09 poorgos-gent1 pluto[494]:
"openswan-cisco877" #2: sending notification
NO_PROPOSAL_CHOSEN to RemoteCisco_WAN_IP:500
# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.93
000 interface eth1/eth1 192.168.254.93
000 interface tap0/tap0 192.168.100.100
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES,
ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES,
ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=2,
name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20
000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "openswan-cisco877":
192.168.1.0/24===192.168.254.93[@openswanpeer]---192.168.254.2...RemoteCisco_WAN_IP[@ciscopeer]===192.168.0.0/24;
prospective erouted; eroute owner: #0
000 "openswan-cisco877": srcip=unset; dstip=unset;
srcup=ipsec _updown; dstup=ipsec _updown;
000 "openswan-cisco877": ike_life: 18000s;
ipsec_life: 28800s; rekey_margin: 10s; rekey_fuzz:
50%; keyingtries: 0
000 "openswan-cisco877": policy:
PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK+UP; prio:
24,24; interface: eth1; encap: esp;
000 "openswan-cisco877": dpd: action:restart;
delay:5; timeout:15;
000 "openswan-cisco877": newest ISAKMP SA: #0;
newest IPsec SA: #0;
000
000 #7: "openswan-cisco877":500 STATE_MAIN_I1 (sent
MI1, expecting MR1); EVENT_RETRANSMIT in 5s; nodpd
000 #7: pending Phase 2 for "openswan-cisco877"
replacing #0
000
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the Users
mailing list