[Openswan Users] Antwort: Openswan Cisco ASA
Paul Whelan
wheelo_01 at hotmail.com
Fri Apr 18 12:01:53 EDT 2008
Yep I had the remote networks switched, tunnel up traffic passing now. Thanks for the help :)
> Subject: Antwort: [Openswan Users] Openswan Cisco ASA
> To: wheelo_01 at hotmail.com
> CC: users at openswan.org; users-bounces at openswan.org
> From: frank.mayer at knapp.com
> Date: Thu, 17 Apr 2008 18:50:49 +0200
>
> Hello,
>
> I'm not sure about a Cisco ASA, but with a Cisco Router I'd say the cryto
> map entry of the Cisco device was had an access list that specified
> different networks to be tunnelled.
>
> One thing I found helpful in the past was having the other end of the
> Tunnel try establishing the connection: Openswan's log entries in that case
> give more information, e.g. which networks the peer wants to tunnel (if it
> does try so at all; if it does not, then I'm rather sure, the Cisco-end has
> local and remote networks switched in its access list for the tunnel:
> that's a common error).
>
> Best Regards
>
> Frank Mayer
> Customer Service Engineering
> -----------------------------
> Phone: +43 316 495-5640
> Fax: +43 316 491 395
> frank.mayer at knapp.com
> www.KNAPP.com
> -----------------------------
> KNAPP Logistik Automation GmbH
> Guenter-Knapp-Str. 5-7
> 8075 Hart bei Graz, Austria
> -----------------------------
> Commercial register number: FN 36404k
> Commercial register court: Graz
> -----------------------------
> The information in this e-mail (including any attachment) is confidential
> and intended to be for the use of the addressee(s) only. If you have
> received the e-mail by mistake, any disclosure, copy, distribution or use
> of the contents of the e-mail is prohibited, and you must delete the e-mail
> from your system. As e-mail can be changed electronically KNAPP assumes no
> responsibility for any alteration to this e-mail or its attachments. KNAPP
> has taken every reasonable precaution to ensure that any attachment to this
> e-mail has been swept for virus. However, KNAPP does not accept any
> liability for damage sustained as a result of such attachment being virus
> infected and strongly recommend that you carry out your own virus check
> before opening any attachment.
>
>
>
>
>
> Paul Whelan
> <wheelo_01 at hotmai
> l.com> An
> Gesendet von: <users at openswan.org>
> users-bounces at ope Kopie
> nswan.org
> Thema
> [Openswan Users] Openswan Cisco
> 04/17/2008 06:37 ASA
> PM
>
>
>
>
>
>
>
>
>
> Hello
>
> I'm trying to setup a tunnel between openswan 2.4.9 (i've also tried 2.4.11
> aswell) and a cisco ASA, however i am getting the errors below. As can be
> seen
>
> phase 1 ike succeeds, however phase 2 doesn't.
>
>
> *****************************
>
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: initiating Main Mode
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID
> payload [FRAGMENTATION c0000000]
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID
> payload [Cisco-Unity]
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID
> payload [XAUTH]
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring unknown Vendor
> ID payload [42fc5a89d3e07f949aed6dc2a8e20893]
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring Vendor ID
> payload [Cisco VPN 3000 Series]
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: I did not send a
> certificate because I do not have one.
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Vendor ID
> payload [Dead Peer Detection]
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: Main mode peer ID is
> ID_IPV4_ADDR: '192.168.10.2'
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_md5
>
> group=modp1024}
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #6: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: ignoring informational
> payload, type INVALID_ID_INFORMATION
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received and ignored
> informational message
> Apr 17 16:41:14 localhost pluto[2784]: "con1" #5: received Delete SA
> payload: deleting ISAKMP State #5
> Apr 17 16:41:14 localhost pluto[2784]: packet from 192.168.10.2:500:
> received and ignored informational message
>
>
> **************************
> My ipsec.conf
>
> conn con0
> rightsubnet=9.0.0.1/24
> leftsubnet=11.0.0.1/24
> also=gw-to-gw
> conn con1
> rightsubnet=9.0.1.3/24
> leftsubnet=11.0.1.3/24
> also=gw-to-gw
> conn gw-to-gw
> left=192.168.10.2
> right=192.168.10.1
> esp=3des-md5
> authby=secret
> type=tunnel
> auto=add
> rekey=yes
> keylife=8h
> ike=3des-md5-modp1024
> aggrmode=no
> pfs=no
> compress=no
>
> ************************************
>
> On the cisco side of things I get error messages:
>
> 713061:Group =192.168.10.1, IP = 192.168.10.1, Rejecting IPSec tunnel: no
> matching crypto map entry for remote proxy 9.0.1.0/255.255.255.0/0/0 local
> proxy
>
> 11.0.1.0/255.255.255.0/0/0/0 on interface gw2
>
> I've looked up this error, which is basically complaining that the tunnel
> address on both sides dont match. However I've checked all my addresses and
> they
>
> match.
>
> One thing wrong to notice from the error is 9.0.1.0 and 11.0.1.0, as i have
> 9.0.0.1 and 11.0.0.1 configured both in ipsec.conf and on the cisco asa.
>
> I've tried googling all the error messages, but nothing I've found hasn't
> helped. I've plugged my Openswan side into another openswan configured with
> the ip
>
> of the cisco asa side and the tunnel came up fine. Am i missing anything
> from my config file needed to communicate with ASA?
>
> Regards,
> Paul Whelan
>
>
>
>
>
>
> Pack up or back up–use SkyDrive to transfer files or keep extra copies.
> Learn how._______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_________________________________________________________________
Going green? See the top 12 foods to eat organic.
http://green.msn.com/galleries/photos/photos.aspx?gid=164&ocid=T003MSN51N1653A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080418/f94e0dcb/attachment.html
More information about the Users
mailing list