[Openswan Users] Openswan to Cisco using Cisco isakmp profiles

John Serink jserink2004 at yahoo.com
Wed Jan 16 11:35:38 EST 2008

Hi All:

Here is my openswan version:
jerinkturion ipsec # ipsec --version
Linux Openswan U2.4.9/K2.6.20-gentoo-r7 (netkey)

Cisco IOS Software, C1700 Software (C1700-K9O3SY7-M), Version 12.4(17), RELEASE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 07-Sep-07 14:17 by prod_rel_team

ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1)

SingaporeiLab uptime is 5 weeks, 5 days, 9 hours, 31 minutes
System returned to ROM by reload
System image file is "flash:c1700-k9o3sy7-mz.124-17.bin"

Here is my ipsec.conf file:
# This file:  /usr/share/doc/openswan-2.4.9/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        # virtual_private=%v4:,%v4:,%v4:
        # enable this if you see "failed to find any available worker"

# Add connections here

conn singaporeiLab

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec/ipsec.d/examples/no_oe.conf

Here is the pluto output:
jerinkturion ipsec # ipsec auto --up singaporeiLab
104 "singaporeiLab" #1: STATE_MAIN_I1: initiate
003 "singaporeiLab" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
106 "singaporeiLab" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "singaporeiLab" #1: received Vendor ID payload [Cisco-Unity]
003 "singaporeiLab" #1: received Vendor ID payload [Dead Peer Detection]
003 "singaporeiLab" #1: ignoring unknown Vendor ID payload
003 "singaporeiLab" #1: received Vendor ID payload [XAUTH]
003 "singaporeiLab" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
108 "singaporeiLab" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "singaporeiLab" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
117 "singaporeiLab" #2: STATE_QUICK_I1: initiate
010 "singaporeiLab" #2: STATE_QUICK_I1: retransmission; will wait 20s for
010 "singaporeiLab" #2: STATE_QUICK_I1: retransmission; will wait 40s for
031 "singaporeiLab" #2: max number of retransmissions (2) reached
STATE_QUICK_I1.  No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "singaporeiLab" #2: starting keying attempt 2 of an unlimited number, but
releasing whack

So, the phase 1 is up, I can see that on the Cisco as well. Here is the debug
from the Cisco:

SingaporeiLab#show debug
Cryptographic Subsystem:
  Crypto ISAKMP debugging is on
  Crypto ISAKMP Error debugging is on
  Crypto ISAKMP High Availability debugging is on

*Jun  9 15:19:06.647: ISAKMP:(0:1:SW:1):purging node -14721836
*Jun  9 15:19:26.759: ISAKMP (0:134217729): received packet from
dport 4500 sport 4500 Global (R) QM_IDLE
*Jun  9 15:19:26.759: ISAKMP: set new node 1678256259 to QM_IDLE
*Jun  9 15:19:26.763: ISAKMP:(0:1:SW:1): processing HASH payload. message ID =
*Jun  9 15:19:26.763: ISAKMP:(0:1:SW:1): processing SA payload. message ID =
*Jun  9 15:19:26.763: ISAKMP:(0:1:SW:1):Checking IPSec proposal 0
*Jun  9 15:19:26.763: ISAKMP: transform 0, ESP_AES
*Jun  9 15:19:26.763: ISAKMP:   attributes in transform:
*Jun  9 15:19:26.763: ISAKMP:      group is 2
*Jun  9 15:19:26.763: ISAKMP:      encaps is 61443 (Tunnel-UDP)
*Jun  9 15:19:26.763: ISAKMP:      SA life type in seconds
*Jun  9 15:19:26.767: ISAKMP:      SA life duration (basic) of 28800
*Jun  9 15:19:26.767: ISAKMP:      authenticator is HMAC-MD5
*Jun  9 15:19:26.767: ISAKMP:      key length is 128
*Jun  9 15:19:26.767: ISAKMP:(0:1:SW:1):atts are acceptable.
*Jun  9 15:19:26.771: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Jun  9 15:19:26.771: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable!
(local remote
*Jun  9 15:19:26.771: ISAKMP: set new node -520296930 to QM_IDLE
*Jun  9 15:19:26.771: ISAKMP:(0:1:SW:1):Sending NOTIFY PROPOSAL_NOT_CHOSEN
protocol 3
        spi 2197619712, message ID = -520296930
*Jun  9 15:19:26.775: ISAKMP:(0:1:SW:1): sending packet to
my_port 4500 peer_port 4500 (R) QM_IDLE
*Jun  9 15:19:26.775: ISAKMP:(0:1:SW:1):purging node -520296930
*Jun  9 15:19:26.775: ISAKMP:(0:1:SW:1):deleting node 1678256259 error TRUE
reason "QM rejected"
*Jun  9 15:19:26.779: ISAKMP (0:134217729): Unknown Input IKE_MESG_FROM_PEER,
IKE_QM_EXCH:  for node 1678256259: state = IKE_QM_READY
*Jun  9 15:19:26.779: ISAKMP:(0:1:SW:1):Node 1678256259, Input =
*Jun  9 15:19:26.779: ISAKMP:(0:1:SW:1):Old State = IKE_QM_READY  New State =
*Jun  9 15:19:26.779: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode
failed with peer at
*Jun  9 15:19:35.907: ISAKMP (0:134217729): received packet from
dport 4500 sport 4500 Global (R) QM_IDLE
*Jun  9 15:19:35.907: ISAKMP:(0:1:SW:1): phase 2 packet is a duplicate of a
previous packet.
*Jun  9 15:19:35.907: ISAKMP:(0:1:SW:1): retransmitting due to retransmit phase
*Jun  9 15:19:35.911: ISAKMP:(0:1:SW:1): ignoring retransmission,because phase2
node marked dead 1678256259                                                    

You can see that everything is fine until:
*Jun  9 15:19:26.771: ISAKMP:(0:1:SW:1): IPSec policy invalidated proposal
*Jun  9 15:19:26.771: ISAKMP:(0:1:SW:1): phase 2 SA policy not acceptable!
(local remote

Here is my Cisco Config:
crypto keyring spokes
  pre-shared-key address key jimmy
crypto isakmp policy 1
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 2
crypto isakmp client configuration group testgroup
 key icFukGamcus~
 domain singaporeilab.com.sg
 pool ippool
crypto isakmp profile L2L
   description LAN.to.LAN for spoke router(s) connection
   keyring spokes
   match identity address
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group testgroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
crypto ipsec transform-set thisset esp-aes esp-md5-hmac
crypto ipsec transform-set jim esp-aes esp-md5-hmac
crypto dynamic-map dynmap 5
 set transform-set thisset
 set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
 set transform-set thisset
 set pfs group2
 set isakmp-profile L2L
crypto map mymap 10 ipsec-isakmp dynamic dynmap

Everything matches my ipsec.conf file so i'm kind of confused about this and
unfortunately, all the PSK examples from openswan to Cisco on the Wiki are dead

Does anyone have any tips?


Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ 

More information about the Users mailing list