[Openswan Users] OPENSWAN -- Cisco VPN concentrator

Peter McGill petermcgill at goco.net
Mon Sep 24 10:03:33 EDT 2007 

First off, Diffie-Hellman Group (DH-Group) Group 1 (768-bit) is insecure.
Openswan will not allow it by default, and it shouldn't.
Change your Cisco to Group 2 (1024-bit) or Group 5 (1536-bit) instead.

Your Cisco is using 3DES with MD5.
So with the new DH-Group settings your ipsec.conf should have:
	ike=3des-md5-modp1024,3des-md5-modp1536
	esp=3des-md5

The retry error your experiencing is also often caused by NAT or Firewall.
Your left and right IP addresses are inside your leftsubnet and rightsubnet's respectively.
Are both sides behind NATing routers? I'm not sure if that will work.
IPSec works best if your IPSec routers both have public internet IP addresses.
These addresses go in left and right, not the private lan IP addresses.
If either IPSec router does not have a public internet IP address, then you will need NAT-Traversal (NAT-T).

Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Atul Chaudhari
> Sent: September 24, 2007 5:32 AM
> To: users at openswan.org
> Subject: [Openswan Users] OPENSWAN -- Cisco VPN concentrator
> 
> Hello,
> 
> I am configuring an VPN LAN-LAn connection between a Linux 
> Opensawn and 
> Cisco VPN concentrator 3000 series.
> 
> I get this message in ipsec whack --status
> 
> [root at dexter ~]# ipsec whack --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.1.2
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, 
> keysizemin=64, 
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
> keysizemin=192, 
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
> keysizemin=0, 
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
> keysizemin=128, 
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), 
> keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, 
> bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, 
> bits=1536
> 000 algorithm IKE dh group: id=14, 
> name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, 
> name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, 
> name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, 
> name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, 
> name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,17,36} 
> trans={0,17,336} attrs={0,17,224}
> 000
> 000 "netnet": 
> 192.168.2.0/24===192.168.1.2---192.168.1.1---192.168.20.1[192.
168.22.22]===10.10.10.0/24; 
> unrouted; eroute owner: #0
> 000 "netnet":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
> dstup=ipsec _updown;
> 000 "netnet":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 540s; 
> rekey_fuzz: 100%; keyingtries: 0
> 000 "netnet":   policy: PSK+ENCRYPT+TUNNEL; prio: 24,24; 
> interface: eth0;
> 000 "netnet":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "netnet":   IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 
> 5_000-1-2, 
> 5_000-2-2, flags=-strict
> 000 "netnet":   IKE algorithms found:  5_192-1_128-5, 5_192-2_160-5, 
> 5_192-1_128-2, 5_192-2_160-2,
> 000 "netnet":   ESP algorithms wanted: 3_168-1, 3_168-2, flags=-strict
> 000 "netnet":   ESP algorithms loaded: 3_168-1, 3_168-2, flags=-strict
> 000
> 000
> 
> 
> My ipsec.conf file is
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
> 
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
> 
> 
> version 2.0     # conforms to second version of ipsec.conf 
> specification
> 
> # basic configuration
> config setup
>          # plutodebug / klipsdebug = "all", "none" or a 
> combation from 
> below:
>          # "raw crypt parsing emitting control klips pfkey natt x509 
> private"
>          # eg:
>          # plutodebug="control parsing"
>          #
>          # Only enable klipsdebug=all if you are a developer
>          #
>          # NAT-TRAVERSAL support, see README.NAT-Traversal
>          # nat_traversal=yes
>          # virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16
>          #nat_traversal=yes
>          interfaces=%defaultroute
>          klipsdebug=none
>          plutodebug=none
>          uniqueids=yes
>          plutowait=no
> 
> conn netnet
>          type=tunnel
>          authby=secret
>          keyexchange=ike
>          ike=3des
>          dpdaction=clear
>      left=192.168.1.2                 # Local vitals
>      leftsubnet=192.168.1.0/24       #
>      right=192.168.20.1                # Remote vitals
>          rightid=192.168.22.22
>          rightnexthop=%defaultroute
>          rightsubnet=192.168.20.0/24
>          esp=3DES-168
>          pfs=no
>      auto=add                       # authorizes but doesn't 
> start this
>                                     # connection at startup
> include /etc/ipsec.d/examples/no_oe.conf
> 
> 
> On giving command ipsec auto --verbose --up netnet i get 
> these messages
> 002 "netnet" #17: initiating Main Mode
> 104 "netnet" #17: STATE_MAIN_I1: initiate
> 002 "netnet" #17: transition from state STATE_MAIN_I1 to 
> state STATE_MAIN_I2
> 106 "netnet" #17: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "netnet" #17: received Vendor ID payload [Cisco-Unity]
> 003 "netnet" #17: received Vendor ID payload [XAUTH]
> 003 "netnet" #17: ignoring unknown Vendor ID payload 
> [fe6bf25053e7fbd74022c8d5039641fc]
> 003 "netnet" #17: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 002 "netnet" #17: I did not send a certificate because I do 
> not have one.
> 002 "netnet" #17: transition from state STATE_MAIN_I2 to 
> state STATE_MAIN_I3
> 108 "netnet" #17: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "netnet" #17: received Vendor ID payload [Dead Peer Detection]
> 002 "netnet" #17: Main mode peer ID is ID_IPV4_ADDR: '192.168.22.22'
> 002 "netnet" #17: transition from state STATE_MAIN_I3 to 
> state STATE_MAIN_I4
> 004 "netnet" #17: STATE_MAIN_I4: ISAKMP SA established 
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 
> group=modp1024}
> 002 "netnet" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using 
> isakmp#17}
> 117 "netnet" #18: STATE_QUICK_I1: initiate
> 010 "netnet" #18: STATE_QUICK_I1: retransmission; will wait 
> 20s for response
> 010 "netnet" #18: STATE_QUICK_I1: retransmission; will wait 
> 40s for response
> 031 "netnet" #18: max number of retransmissions (2) reached 
> STATE_QUICK_I1.  No acceptable response to our first Quick 
> Mode message: 
> perhaps peer likes no proposal
> 000 "netnet" #18: starting keying attempt 2 of an unlimited 
> number, but 
> releasing whack
> 
> It then comes back to shell prompt and no connection is established.
> 
> 
> 
> Is this due to IKE algorithms not found?
> The router is not at my end but these are the detail i got from the 
> admin at other end.
> 
> 
> |VPN Schema              |                      |IKE          
>             |
> |------------------------+----------------------+-------------
> ------------|
> |Authentication Mode     |                      |Preshared Keys 
>        |                      |    |
> |------------------------+----------------------+-------------
> ------------|
> |Authentication Algorithm|                      |MD5/HMAC-128 
>             |
> |------------------------+----------------------+-------------
> ------------|
> |Encryption Algorithm    |                      |3DES-168     
>             |
> |------------------------+----------------------+-------------
> ------------|
> |Diffie-Hellman Group    |                      |Group 1 
> (768-bits)       |
> |------------------------+----------------------+-------------
> ------------|
> |IKE Time Lifetime       |                      |86400        
>             |
> |------------------------+----------------------+-------------
> ------------|
> |Authentication          |                      |ESP/MD5/HMAC-128
> .
> 
> 
> Any suggestion apprciated.
> 
> Thanks,
> Atul Chaudhari
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list