[Openswan Users] openswan to Cisco 877

Peter McGill petermcgill at goco.net
Thu May 3 09:28:14 EDT 2007 

> -----Original Message-----
> Date: Thu, 3 May 2007 04:16:31 -0700 (PDT)
> From: Vieri <rentorbuy at yahoo.com>
> Subject: [Openswan Users] openswan to Cisco 877
> To: users at openswan.org
> 
> I am trying to connect an OpenS/WAN peer to a remote
> Cisco 877.
> 
> >From the log messages I post below, what could be
> causing the failure?
> Could it be that the remote Cisco 877 is wanting to
> use single DES (Diffie-Hellamn group 1) and OpenS/WAN
> does not support it?
> Or could there be a packet drop/firewall issue on the
> remote site (Cisco)?
> In other words, what can I "deduce" on my side when I
> see messages such as "EVENT_RETRANSMIT" and "no
> acceptable Oakley Transform"?
> 
> I do not have access to the remote Cisco but the
> people who manage it sent me part of its configuration
> settings:
> 
> crypto isakmp policy 1
>  encr 3des
>  hash md5
>  authentication pre-share
> crypto isakmp key secret_password address
> Openswan_WAN_IP
> crypto isakmp keepalive 10
> !
> !
> crypto ipsec transform-set TRANSET esp-3des
> esp-md5-hmac
> crypto ipsec df-bit clear
> !
> crypto map IPSECMAP 20 ipsec-isakmp
>  set peer Openswan_WAN_IP
>  set transform-set TRANSET
>  match address 120 
> 
> My openswan server's ipsec.conf is as follows:
> 
> # cat ipsec.conf
> 
> version 2.0    
> 
> config setup
>         #plutodebug=all
>         #nat_traversal=yes
>         #
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>         nhelpers=0
> 
> include /etc/ipsec/ipsec.conf_CONN1
> 
> include /etc/ipsec/ipsec.d/examples/no_oe.conf
> 
> # cat ipsec.conf_CONN1
> 
> conn openswan-cisco877
>     type=tunnel
>     keyexchange=ike
>     #keylife=1h
>     ikelifetime=5h
>     rekeyfuzz=50%
>     rekeymargin=10s
>     keyingtries=%forever
>     dpddelay=5
>     dpdtimeout=15
>     dpdaction=restart
>     disablearrivalcheck=yes
>     pfs=no
>     esp=3des-md5
>     left=192.168.254.93

Left needs to be your internet ip, or if you don't have one,
Because your not a gateway just a lan host, then you need to
Use nat_traversal=yes, the cisco will also need to set nat-t.

>     leftnexthop=192.168.254.2
>     right=RemoteCisco_WAN_IP
>     rightsubnet=192.168.0.0/24
>     leftsubnet=192.168.1.0/24
>     authby=secret
>     rightid=@ciscopeer
>     leftid=@openswanpeer
>     auto=start
> 
> # cat /var/log/messages
> 
> May  3 09:10:09 poorgos-gent1 pluto[494]: packet from
> RemoteCisco_WAN_IP:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port
> floating is off
> May  3 09:10:09 poorgos-gent1 pluto[494]: packet from
> RemoteCisco_WAN_IP:500: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port
> floating is off

It looks like cisco has nat-t on, but you don't.

> May  3 09:10:09 poorgos-gent1 pluto[494]:
> "openswan-cisco877" #2: Diffie-Hellamn group 1 is not
> a supported modp group.  Attribute
> OAKLEY_GROUP_DESCRIPTION

Group 1 (768) is too weak, tell the cisco to use group 2 (1024).
Set this on your end:
	ike=3des-md5-modp1024

Peter

More information about the Users mailing list