[Openswan Users] problems with vpn between cisco and openswan

David McCullough David_Mccullough at securecomputing.com
Mon Dec 14 17:44:35 EST 2009


Jivin Michael Stevens lays it down ...
> Hi.
> 
> I'm trying to run a vpn between one machine running a cisco asa, and the other running openswan. The openswan end is under my control.
> 
> The openswan end is a VPS running centos 5.4.
> 
> The tunnel definition is:
> 
> conn tunnelipsec
>         type=           tunnel
>         authby=         secret
>         left=           a.b.c.d
>     leftsourceip=    p.q.r.s
>         leftnexthop=    %defaultroute
>         leftsubnet=     192.168.2.0/24
>         right=          l.m.n.o
>         rightnexthop=   %defaultroute
>         rightsubnet=    ef.f.g.h/24
>         ike=            aes128-sha1-modp1024
>         esp=            aes128-sha1
>         keyexchange=    ike
>         pfs=            yes
>         auto=           start
>     keylife=    86400s
> 
> I've obviously censored the IP addresses involved.
> 
> I get various messages in the logs, at the moment I'm seeing a lot of:
> 
> Dec 14 14:56:11 foo pluto[20102]: "tunnelipsec" #11: ignoring informational payload, type INVALID_SPI msgid=00000000
> 
> The VPN works fine for a few hours, then drops. I've not worked out what the trigger is.

It's might be dying when the Cisco rekeys.  Try setting your keylife to
3600 (1 hour) and see how that goes.

Cheers,
Davidm


-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


More information about the Users mailing list