[Openswan Users] openswan to Cisco 877

Vieri rentorbuy at yahoo.com
Thu May 3 13:40:37 EDT 2007 

--- Peter McGill <petermcgill at goco.net> wrote:

> Left needs to be your internet ip, or if you don't
> have one,
> Because your not a gateway just a lan host, then you
> need to
> Use nat_traversal=yes, the cisco will also need to
> set nat-t.

It's not exactly a lan host (and it actually is a
gateway). However, I can't have an Internet IP because
of the protocol my ISP is using (pppoa). Actually I
could have an Internet IP but it would "break"
everytime the dsl modem re-syncs. So what I usually do
in these cases is simply configure a "nat to default
server" or "DMZ server" in the DSL modem/router. In
this case, the "server" is the openswan gateway.
Basically, it would be something like this:
ISP---DSL ROUTER WITH PPPoA-assigned WAN IP & LOCAL IP
192.168.254.2 & "NAT ALL TO ONE INTERNAL SERVER->
192.168.254.93"---OpenSWAN gateway with "external"
eth0=192.168.254.93 & "internal"
eth1=192.168.1.93---the rest of the LAN hosts
192.168.1.0/24 (using default gw 192.168.1.93)

Anyway, I added NAT-t in ipsec.conf:

config setup
  nat_traversal=yes

> > May  3 09:10:09 poorgos-gent1 pluto[494]: packet
> from
> > RemoteCisco_WAN_IP:500: received Vendor ID payload
> > [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
> port
> > floating is off
> 
> It looks like cisco has nat-t on, but you don't.

After enabling nat-t it now reads:

May  3 19:28:58 poorgos-gent1 pluto[971]: packet from
RemoteCisco_WAN_IP:500: ignoring unknown Vendor ID
payload [439b59f8ba676c4c7737ae22eab8f582]
May  3 19:28:58 poorgos-gent1 pluto[971]: packet from
RemoteCisco_WAN_IP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
May  3 19:28:58 poorgos-gent1 pluto[971]: packet from
RemoteCisco_WAN_IP:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 108

> > May  3 09:10:09 poorgos-gent1 pluto[494]:
> > "openswan-cisco877" #2: Diffie-Hellamn group 1 is
> not
> > a supported modp group.  Attribute
> > OAKLEY_GROUP_DESCRIPTION
> 
> Group 1 (768) is too weak, tell the cisco to use
> group 2 (1024).
> Set this on your end:
> 	ike=3des-md5-modp1024

So, does that pluto message actually mean that the
Cisco end-point is insisting in using DH group 1 (ie.
DES)?
I'm asking this because I will need to tell the people
on the remote end to change their Cisco settings and
how.
I already told them to use group 2 but will insist
once again.

Thank you Peter


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Users mailing list