[Openswan Users] openswan and cisco asa-5510 interop problem
Sergei LITVINENKO
sergei.litvinenko at gmail.com
Sun Mar 9 08:39:10 EDT 2008
There is classic tunnel between openswan-2.4.12rc3 and cisco asa-5510
[root at mail root]# ipsec --version
Linux Openswan 2.4.12rc3 (klips)
------------------------------------------------------------------------
/etc/ipsec.conf
...
config setup
interfaces="ipsec0=eth2"
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=no
conn %default
leftrsasigkey=%none
rightrsasigkey=%none
type=tunnel
compress=no
auth=esp
authby=secret
keyexchange=ike
disablearrivalcheck=yes
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn OPS-AND-OPS
rekey=no
dpddelay=30
dpdtimeout=120
dpdaction=restart
compress=no
ike=3des-sha1-modp1024
esp=3des-sha1
left=xxx.x.xxx.178
leftnexthop=xxx.x.xxx.177
leftsubnet=10.101.0.0/16
right=xxx.xx.xxx.172
rightnexthop=xxx.xx.xxx.169
rightsubnet=10.102.0.0/16
ikelifetime=3600
keylife=7200
pfs=no
auto=start
------------------------------------------------------------------------
Script to test tunnel ...
---
#! /bin/bash
(
export endPoint="10.102.3.1"
export logFile=${endPoint}.log
export sleepSec=10
(
let status=1
echo "$endPoin = $endPoint, logFile = $logFile, sleepSec = $sleepSec"
while : ; do
ping -c 1 -w 2 ${endPoint} > /dev/null 2>&1
if [ $? -eq 0 ] ; then
if [ $status -ne 0 ] ; then
let status=0
echo "`date`: status = SUCCESS"
fi
else
if [ $status -eq 0 ] ; then
let status=1
echo "`date`: status = PROBLEM"
fi
fi
sleep $sleepSec
done
) > ${logFile} 2>&1 &
)
------------------------------------------------------------------------
Result of testing:
...
Mar 8 22:14:55 EET 2008: status = SUCCESS
Mar 8 22:49:31 EET 2008: status = PROBLEM
Mar 8 23:49:08 EET 2008: status = SUCCESS
Mar 9 00:34:45 EET 2008: status = PROBLEM
Mar 9 01:33:45 EET 2008: status = SUCCESS
Mar 9 02:19:12 EET 2008: status = PROBLEM
Mar 9 03:22:50 EET 2008: status = SUCCESS
Mar 9 04:08:27 EET 2008: status = PROBLEM
Mar 9 05:13:41 EET 2008: status = SUCCESS
Mar 9 05:59:18 EET 2008: status = PROBLEM
Mar 9 06:59:55 EET 2008: status = SUCCESS
Mar 9 07:45:33 EET 2008: status = PROBLEM
Mar 9 08:50:46 EET 2008: status = SUCCESS
Mar 9 09:36:23 EET 2008: status = PROBLEM
Mar 9 10:40:24 EET 2008: status = SUCCESS
Mar 9 11:25:52 EET 2008: status = PROBLEM
Mar 9 12:29:17 EET 2008: status = SUCCESS
Mar 9 13:14:44 EET 2008: status = PROBLEM
------------------------------------------------------------------------
Rekey = yes/no do not solve the problem
Config on cisco ASA-5510
---
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 7200
crypto map outside_map 20 set nat-t-disable
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
------------------------------------------------------------------------
All links to lists.freeswan.org are outdated
http://www.freeswan.org/freeswan_trees/freeswan-2.01/doc/interop.html
...
=> A Linux FreeS/WAN-Cisco connection may close after some time. Here
<http://lists.freeswan.org/pipermail/users/2001-December/005758.html> (
http://lists.freeswan.org/pipermail/users/2001-December/005758.html ) is
a workaround.
...
How can I solve this problem?
--
There is a great difference between
"be involved" and "be committed".
Usually we are committed...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080309/a25701a5/attachment.html
More information about the Users
mailing list