[Openswan Users] openswan ipsec fos_start

Vieri rentorbuy at yahoo.com
Sun May 20 16:14:28 EDT 2007 

--- Andy Gay <andy at andynet.net> wrote:

> > ipsec auto --status:
> > https://fhm.zapto.org/GEVPN/status_ge.txt
> > 
> > ipsec barf:
> > https://fhm.zapto.org/GEVPN/barf_ge.txt
>
> The peer's phase 2 parameters don't match yours.
> Usually that's either
> because the PFS setting is different (try changing
> to pfs=yes), or your
> left and right subnets don't *exactly* match the
> ones configured on the
> peer.

Thank you very much for making me notice I only got
passed phase 1. I don't know why I didn't see that
myself. Anyway, I'm now trying to get the tunnel up.

The only information I have for now regarding the
remote peer is:

IPSEC Parameters

VPN Device	Cisco (7100-series with ASM or 7200-series
with VAM or VAM2)
IPSec Peer, Europe	195.177.212.154
Encr Domain	150.2.0.0/16
Key Algorithm	ISAKMP (UDP 500)
ISAKMP Auth Mode	Pre-shared Secret
ISAMP Hash	SHA-1 or MD5
ISAKMP Encryption	3DES or DES
ISAKMP Diffie-Hellman	Group 1 or Group 2
ISAKMP Key Mode	Main
ISAKMP Key Lifetime	86.400 secs (24 hours)
Perfect Forward Secrecy	Off
IPSec Encapsulation	Tunnel Mode
IPSec Protocol Type	ESP (IP Protocol 50)
IPSec Cipher Algorithm	3DES or DES
IPSec Authentication	HMAC-SHA-1 or HMAC-MD5
IPSec Lifetime	3600 secs (1 hour)

So I updated my openswan peer and specified the esp
value as you suggested:

conn ge-fhm
    type=tunnel
    keyexchange=ike
    keylife=1h
    ikelifetime=24h
    pfs=no
    ike=3des-md5-modp1024
    esp=3des-md5
    left=192.168.92.2
    leftnexthop=192.168.92.1
    leftsourceip=10.215.144.92
    leftsubnet=10.215.144.0/22
    right=195.177.212.154
    rightsubnet=150.2.0.0/16
    rightid=195.177.212.154
    leftid=213.96.91.201
    authby=secret
    auto=start

Is there anything else I should add?

Despite the ESP change, the result is the same (same
ipsec barf/status). Somehow, ike completes but the
IPsec tunnel doesn't.

I am *suspecting* they have our subnet wrong (maybe
our netmask - "leftsubnet"). I guess that could
explain why the tunnel isn't brought up.

I'll try to get more details on the remote Cisco
configuration.

Thanks again.



       
____________________________________________________________________________________Got a little couch potato? 
Check out fun summer activities for kids.
http://search.yahoo.com/search?fr=oni_on_mail&p=summer+activities+for+kids&cs=bz

More information about the Users mailing list