[Openswan Users] Antwort: Openswan Cisco ASA
Frank Mayer
frank.mayer at knapp.com
Thu Apr 17 12:50:49 EDT 2008
Hello,
I'm not sure about a Cisco ASA, but with a Cisco Router I'd say the cryto
map entry of the Cisco device was had an access list that specified
different networks to be tunnelled.
One thing I found helpful in the past was having the other end of the
Tunnel try establishing the connection: Openswan's log entries in that case
give more information, e.g. which networks the peer wants to tunnel (if it
does try so at all; if it does not, then I'm rather sure, the Cisco-end has
local and remote networks switched in its access list for the tunnel:
that's a common error).
Best Regards
Frank Mayer
Customer Service Engineering
-----------------------------
Phone: +43 316 495-5640
Fax: +43 316 491 395
frank.mayer at knapp.com
www.KNAPP.com
-----------------------------
KNAPP Logistik Automation GmbH
Guenter-Knapp-Str. 5-7
8075 Hart bei Graz, Austria
-----------------------------
Commercial register number: FN 36404k
Commercial register court: Graz
-----------------------------
The information in this e-mail (including any attachment) is confidential
and intended to be for the use of the addressee(s) only. If you have
received the e-mail by mistake, any disclosure, copy, distribution or use
of the contents of the e-mail is prohibited, and you must delete the e-mail
from your system. As e-mail can be changed electronically KNAPP assumes no
responsibility for any alteration to this e-mail or its attachments. KNAPP
has taken every reasonable precaution to ensure that any attachment to this
e-mail has been swept for virus. However, KNAPP does not accept any
liability for damage sustained as a result of such attachment being virus
infected and strongly recommend that you carry out your own virus check
before opening any attachment.
Paul Whelan
<wheelo_01 at hotmai
l.com> An
Gesendet von: <users at openswan.org>
users-bounces at ope Kopie
nswan.org
Thema
[Openswan Users] Openswan Cisco
04/17/2008 06:37 ASA
PM
Hello
I'm trying to setup a tunnel between openswan 2.4.9 (i've also tried 2.4.11
aswell) and a cisco ASA, however i am getting the errors below. As can be
seen
phase 1 ike succeeds, however phase 2 doesn't.
*****************************
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: initiating Main Mode
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I2: sent MI2,
expecting MR2
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID
payload [Cisco-Unity]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID
payload [XAUTH]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring unknown Vendor
ID payload [42fc5a89d3e07f949aed6dc2a8e20893]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: I did not send a
certificate because I do not have one.
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I3: sent MI3,
expecting MR3
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID
payload [Dead Peer Detection]
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: Main mode peer ID is
ID_IPV4_ADDR: '192.168.10.2'
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5
group=modp1024}
Apr 17 16:41:14 localhost pluto[2784]: "con1" #6: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring informational
payload, type INVALID_ID_INFORMATION
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received and ignored
informational message
Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Delete SA
payload: deleting ISAKMP State #5
Apr 17 16:41:14 localhost pluto[2784]: packet from 192.168.10.2:500:
received and ignored informational message
**************************
My ipsec.conf
conn con0
rightsubnet=9.0.0.1/24
leftsubnet=11.0.0.1/24
also=gw-to-gw
conn con1
rightsubnet=9.0.1.3/24
leftsubnet=11.0.1.3/24
also=gw-to-gw
conn gw-to-gw
left=192.168.10.2
right=192.168.10.1
esp=3des-md5
authby=secret
type=tunnel
auto=add
rekey=yes
keylife=8h
ike=3des-md5-modp1024
aggrmode=no
pfs=no
compress=no
************************************
On the cisco side of things I get error messages:
713061:Group =192.168.10.1, IP = 192.168.10.1, Rejecting IPSec tunnel: no
matching crypto map entry for remote proxy 9.0.1.0/255.255.255.0/0/0 local
proxy
11.0.1.0/255.255.255.0/0/0/0 on interface gw2
I've looked up this error, which is basically complaining that the tunnel
address on both sides dont match. However I've checked all my addresses and
they
match.
One thing wrong to notice from the error is 9.0.1.0 and 11.0.1.0, as i have
9.0.0.1 and 11.0.0.1 configured both in ipsec.conf and on the cisco asa.
I've tried googling all the error messages, but nothing I've found hasn't
helped. I've plugged my Openswan side into another openswan configured with
the ip
of the cisco asa side and the tunnel came up fine. Am i missing anything
from my config file needed to communicate with ASA?
Regards,
Paul Whelan
Pack up or back up–use SkyDrive to transfer files or keep extra copies.
Learn how._______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list