[Openswan Users] Policy Mismatch: Stuck on

Khan, Hammad Aslam raohammad at gmail.com
Sat Mar 1 04:36:56 EST 2008


I checked with these configuration too ( but using MD5 instead of SHA1) - I
am getting still same thing.

How do we create Policies for ipsec by the way? Is there something that
requires to be configured other than this IKE, ESP for IPSEC Tunnel once
ISAKMP is UP?


On Fri, Feb 29, 2008 at 4:49 PM, Sebastien COUPPEY <
sebastien.couppey at zero9.it> wrote:

> You don t put the IKE parameter ?
> me with the cisco vpn3030 I have forced :
>
>    ikelifetime=24h
>    keylife=28800
>    ike=3des-sha1-modp1024
>    esp=3des-sha1
>    pfs=no
>    dpddelay=30
>    dpdtimeout=120
>    dpdaction=restart
>    auto=start
>
>
>
>
> On Thu, Feb 28, 2008 at 11:25:17AM +0500, Khan, Hammad Aslam wrote:
> > Correction
> >
> > On Thu, Feb 28, 2008 at 11:24 AM, Khan, Hammad Aslam <
> raohammad at gmail.com>
> > wrote:
> >
> > > Hi All,
> > > I am supposed to connect to a VPN Concentrator 3000 series CISCO on
> remote end and Linux Fedora Core 6 on my End with OpenSWAN installed;
> > >
> > > *While trying to connect to remote end; I stuck on *
> > > 117 "connectionName" #2:STATE_QUICK_I1: initiate
> > >
> > > 010 "connectionName" #2: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> > >
> > > 010 "connectionName" #2: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> > >
> > > *Remote End Company says (VPN Concentrator CISCO 3000 series)*
> > > Please check your side policy. There is a miss match.
> > >
> > > 14719 02/26/2008 13:07:45.600 SEV=4 IKE/61 RPT=40382  <
> http://58.27.207.70/>my.host.ip.add <http://58.27.207.70/>
> > >
> > > Group [my.host.ip.add <http://58.27.207.70/>]
> > >
> > > Tunnel rejected: Policy not found for Src:my.private.server.add <
> http://10.5.125.105/>, Dst: remote.private.ip.add <http://172.18.104.244/
> >!
> > >
> > >
> > > *My Connection Config*
> > > conn connectionName
> > >          type=tunnel
> > >          authby=secret                   # secret key
> > >
> > >          auth=esp
> > >          pfs=no
> > >          esp=3des-md5-96
> > >          left=my.host.ip.add <http://58.27.207.70/>             #
> > >
> > >          leftsubnet=my.private.server.add <http://10.5.125.105/>
> > >
> > >          #leftnexthop=192.168.100.11     #second eth of my OpenVPS
> machine connected to my provate network
> > >          right=202.69.9.240              # my peer's external,
> internet-routable ip address=
> > >
> > >          rightsubnet= remote.private.ip.add <http://172.18.104.244/
> >/32
> > >
> > >
> > > config setup
> > >         interfaces="ipsec0=eth0"
> > >         plutodebug="all"
> > >
> > > *Connection that we were supposed to make (Remote End Credentials that
> we need to match)*
> > >
> > >  Hardware Cisco VPN Concentrator 3000  DH Group Diffie-Helman Group 2
>  Production
> > > Peer 6.6.6.6  Encryption Domain 172.18.104.244  Encryption 3DES
> > > Authentication MD5  Life Time 86400 sec  PreShared Key "sharedKey"
> > >  Protocol ESP
> > >
> > >
> > > *
> > > *How am I supposed to change policy to match above mentioned
> connection credentials.*
> > >
> > > Regards,
> > > *
> > >
> > >
>
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080301/2c7a0d63/attachment-0001.html 


More information about the Users mailing list