[Openswan Users] Openswan <--> Cisco 877 VPN
Federico Viel
fviel at bellunum.com
Thu Jul 2 04:29:26 EDT 2009
Hello,
I’m working on a site2site tunnel from Debian openswan to a Cisco 877 router
Everything seems fine but the tunnel do not start. It’s like something is
blocking the vpn start on the cisco 877 router.
I think the problem is on cisco 877 router.
I can reach pinging the openswan router from cisco 877 (I can see the DENY
entry on log firewall of as below)
Jun 29 16:03:18 localhost kernel:
RULE 17 -- DENY IN=eth4 OUT= MAC=00:13:49:24:49:bb:00:17:59:97:b0:18:08:00
SRC=85.yy.74.198 DST=88.xx.224.206 LEN=100 TOS=0x00 PREC=0x00 TTL=252 ID=16
PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=4
but
No other entries are visible on the openswan router firewall’s log: I log
everything (accepted also) coming from the cisco 877 adsl point-to-point IP
. This looks like something is blocking the cisco 877 to “put out” vpn
packet to initiate negotiation
.
My Ipsec is as follow:
# Lambioi-scale-mobili (10.6.100.0-10.116.100.0) connection
conn lambioi
type=tunnel
left=88.xx.224.206
leftid=@multifw.zxy.it
leftsubnet=10.6.100.0/24
right=85.yy.74.198
rightsubnet=10.116.100.0/24
esp=3des-sha1
keyexchange=ike
authby=secret
auto=add
My Cisco 877 configuration is as follow
lambioirouter#sh running-config
Building configuration...
Current configuration : 5928 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname lambioirouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$.....
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-2720181849
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2720181849
revocation-check none
rsakeypair TP-self-signed-2720181849
!
!
crypto pki certificate chain TP-self-signed-2720181849
certificate self-signed 01
30820252
..
quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.116.100.254
!
ip dhcp pool sdm-pool1
import all
network 10.116.100.0 255.255.255.0
default-router 10.116.100.254
dns-server 151.99.125.1
!
!
ip cef
no ip bootp server
ip domain name zxy.com
ip name-server 151.99.125.1
ip name-server 151.99.0.100
!
username fede privilege 15 secret 5 $1$0QL
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key pskey address 88.xx.224.206
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
!
crypto map to-site2 10 ipsec-isakmp
set peer 88.xx.224.206
set transform-set s1s2trans
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 85.yy.74.198 255.255.255.252
ip mtu 1412
ip flow ingress
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip 94.zz.cc.ss broadcast
encapsulation aal5snap
!
crypto map to-site2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.116.100.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.6.100.0 255.255.255.0 88.xx.224.206
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.116.100.0 0.0.0.255
access-list 101 permit ip 10.116.100.0 0.0.0.255 10.6.100.0 0.0.0.255
access-list 150 deny ip 10.116.100.0 0.0.0.255 10.6.100.0 0.0.0.255
access-list 150 permit ip 10.116.100.0 0.0.0.255 any
no cdp run
!
!
!
route-map nonat permit 10
match ip address 150
!
!
control-plane
!!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end*************************************************************************
**************
This are some debug command
On openswan router
Fwr: Ipsec auto –up lambioi
Fwr:ipsec barf
Jul 1 16:48:36 localhost pluto[12697]: "lambioi" #139: initiating Main Mode
+ _________________________ date
+ date
Wed Jul 1 16:48:54 CEST 2009
On cisco 877
lambioirouter#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
85.yy.74.198 88.xx.224.206 MM_SA_SETUP 0 ACTIVE
88.xx.224.206 85.yy.74.198 MM_NO_STATE 0 ACTIVE
IPv6 Crypto ISAKMP SA
lambioirouter#show crypto ipsec sa
PFS (Y/N): N, DH group: none
interface: ATM0.1
Crypto map tag: to-site2, local addr 85.yy.74.198
protected vrf: (none)
local ident (addr/mask/prot/port): (10.116.100.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.6.100.0/255.255.255.0/0/0)
current_peer 88.xx.224.206 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 11, #recv errors 0
local crypto endpt.: 85.yy.74.198, remote crypto endpt.: 88.xx.224.206
path mtu 1412, ip mtu 1412, ip mtu idb ATM0.1
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
lambioirouter#show log
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level critical, 0 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 33 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level debugging, 37 message lines logged
Log Buffer (51200 bytes):
*Mar 1 00:00:10.071: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
change
d to: Initialized
*Mar 1 00:00:10.075: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
change
d to: Enabled
*Mar 1 00:00:11.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface ATM0,
chan
ged state to down
*Mar 1 00:00:12.007: %LINK-3-UPDOWN: Interface FastEthernet0, changed state
to
up
*Mar 1 00:00:13.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface
FastEthern
et0, changed state to up
*Mar 1 00:00:37.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface
SSLVPN-VIF
0, changed state to up
000007: *Mar 1 01:00:39.375 PCTime: %SYS-6-CLOCKUPDATE: System clock has
been u
pdated from 00:00:39 UTC Fri Mar 1 2002 to 01:00:39 PCTime Fri Mar 1 2002,
confi
gured from console by console.
000008: *Mar 1 01:00:39.379 PCTime: %SYS-6-CLOCKUPDATE: System clock has
been u
pdated from 01:00:39 PCTime Fri Mar 1 2002 to 01:00:39 PCTime Fri Mar 1
2002, co
nfigured from console by console.
000009: *Mar 1 01:00:39.843 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face Vlan1, changed state to down
000010: *Mar 1 01:00:40.119 PCTime: %SYS-5-CONFIG_I: Configured from memory
by
console
000011: *Mar 1 01:07:30.551 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face NVI0, changed state to down
000012: *Mar 1 01:07:30.587 PCTime: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.4(22)T,
REL
EASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Fri 10-Oct-08 12:57 by prod_rel_team
000013: *Mar 1 01:07:30.587 PCTime: %SNMP-5-COLDSTART: SNMP agent on host
lambi
oirouter is undergoing a cold start
000014: *Mar 1 01:07:30.627 PCTime: %SSH-5-ENABLED: SSH 1.99 has been
enabled
000015: *Mar 1 01:07:30.683 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
000016: *Mar 1 01:07:30.683 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
000017: *Mar 1 01:07:31.907 PCTime: %LINK-5-CHANGED: Interface NVI0,
changed st
ate to administratively down
000018: *Mar 1 01:07:31.955 PCTime: %LINK-3-UPDOWN: Interface
FastEthernet3, ch
anged state to up
000019: *Mar 1 01:07:31.955 PCTime: %LINK-3-UPDOWN: Interface
FastEthernet2, ch
anged state to up
000020: *Mar 1 01:07:31.967 PCTime: %LINK-3-UPDOWN: Interface
FastEthernet1, ch
anged state to up
000021: *Mar 1 01:07:31.967 PCTime: %LINK-3-UPDOWN: Interface
FastEthernet0, ch
anged state to up
000022: *Mar 1 01:07:32.955 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face FastEthernet3, changed state to down
000023: *Mar 1 01:07:32.955 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face FastEthernet2, changed state to down
000024: *Mar 1 01:07:32.967 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face FastEthernet1, changed state to down
000025: *Mar 1 01:07:32.967 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face FastEthernet0, changed state to down
000026: *Mar 1 01:09:01.979 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face Vlan1, changed state to up
000027: *Mar 1 01:09:02.551 PCTime: %LINK-3-UPDOWN: Interface ATM0, changed
sta
te to up
000028: *Mar 1 01:09:03.551 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face ATM0, changed state to up
000029: *Mar 1 01:09:03.971 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
Inter
face FastEthernet1, changed state to up
000030: *Mar 1 01:10:37.599 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
000031: *Mar 1 01:10:43.983 PCTime: %SYS-5-CONFIG_I: Configured from
console by
fede on vty0 (10.116.100.1)
000032: *Mar 1 01:10:49.651 PCTime: %CRYPTO-6-IKMP_MODE_FAILURE: Processing
of
Informational mode failed with peer at 88.xx.224.206
000033: *Mar 1 01:11:59.451 PCTime: %CRYPTO-6-IKMP_MODE_FAILURE: Processing
of
Informational mode failed with peer at 88.xx.224.206
More information about the Users
mailing list