[Openswan Users] Openswan Cisco ASA

Peter McGill petermcgill at goco.net
Thu Apr 17 13:08:38 EDT 2008 

This subnet syntax is wrong, it may be the cause of your problem:
conn con0
        rightsubnet=9.0.0.1/24
        leftsubnet=11.0.0.1/24
        also=gw-to-gw
conn con1
        rightsubnet=9.0.1.3/24
        leftsubnet=11.0.1.3/24
        also=gw-to-gw
You probably want (net-to-net):
conn con0
        rightsubnet=9.0.0.0/24
        leftsubnet=11.0.0.0/24
        also=gw-to-gw
conn con1
        rightsubnet=9.0.1.0/24
        leftsubnet=11.0.1.0/24
        also=gw-to-gw
Or this (host-to-host):
conn con0
        rightsubnet=9.0.0.1/32
        leftsubnet=11.0.0.1/32
        also=gw-to-gw
conn con1
        rightsubnet=9.0.1.3/32
        leftsubnet=11.0.1.3/32
        also=gw-to-gw
 
Peter McGill
 


  _____  

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Paul Whelan
Sent: April 17, 2008 12:37 PM
To: users at openswan.org
Subject: [Openswan Users] Openswan Cisco ASA


Hello

I'm trying to setup a tunnel between openswan 2.4.9 (i've also tried 2.4.11 aswell) and a cisco ASA, however i am getting the errors
below. As can be seen 

phase 1 ike succeeds, however phase 2 doesn't.


*****************************

Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: initiating Main Mode
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I2: sent MI2, expecting MR2
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID payload [Cisco-Unity]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID payload [XAUTH]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring unknown Vendor ID payload [42fc5a89d3e07f949aed6dc2a8e20893]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: I did not send a certificate because I do not have one.
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID payload [Dead Peer Detection]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.10.2'
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 

group=modp1024}
Apr 17 16:41:14 localhost pluto[2784]: "con1" #6: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring informational payload, type INVALID_ID_INFORMATION
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received and ignored informational message
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Delete SA payload: deleting ISAKMP State #5
Apr 17 16:41:14 localhost pluto[2784]: packet from 192.168.10.2:500: received and ignored informational message


**************************
My ipsec.conf

conn con0
        rightsubnet=9.0.0.1/24
        leftsubnet=11.0.0.1/24
        also=gw-to-gw
conn con1
        rightsubnet=9.0.1.3/24
        leftsubnet=11.0.1.3/24
        also=gw-to-gw
conn gw-to-gw
        left=192.168.10.2
        right=192.168.10.1
        esp=3des-md5
        authby=secret
        type=tunnel
        auto=add
        rekey=yes
        keylife=8h
        ike=3des-md5-modp1024
        aggrmode=no
        pfs=no
        compress=no

************************************

On the cisco side of things I get error messages:

713061:Group =192.168.10.1, IP = 192.168.10.1, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy
9.0.1.0/255.255.255.0/0/0 local proxy 

11.0.1.0/255.255.255.0/0/0/0 on interface gw2

I've looked up this error, which is basically complaining that the tunnel address on both sides dont match. However I've checked all
my addresses and they 

match.

One thing wrong to notice from the error is 9.0.1.0 and 11.0.1.0, as i have 9.0.0.1 and 11.0.0.1 configured both in ipsec.conf and
on the cisco asa.

I've tried googling all the error messages, but nothing I've found hasn't helped. I've plugged my Openswan side into another
openswan configured with the ip 

of the cisco asa side and the tunnel came up fine. Am i missing anything from my config file needed to communicate with ASA? 

Regards,
Paul Whelan







  _____  

Pack up or back up–use SkyDrive to transfer files or keep extra copies. Learn how.
<http://www.windowslive.com/skydrive/overview.html?ocid=TXT_TAGLM_WL_Refresh_skydrive_packup_042008>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080417/1022ccab/attachment-0001.html

More information about the Users mailing list