[Openswan Users] Openswan <--> Cisco 877 VPN
Federico Viel
fviel at bellunum.com
Wed Jul 8 03:21:44 EDT 2009
SOLVED!
The problem was I miss to specify the Diffie-Hellman group in the cisco ios
conf:
http://lists.virus.org/users-openswan-0709/msg00112.html
A grup 2 policy is mandatory to work with openswan.
Moreover I had to configure the ipsec sa capabilities in a less restrictive
mode in Openswan ipsec.conf file.
Now Just one thing do not work: vpn tunnl does not start from the cisco
router i.e. I HAVE to start the vpn from linux manually: "ipsec auto --up
lambioi".
I'm wrong or cisco router should start vpn as soon as the first "vpn routed"
packet is created? I tried ping remote machine from behind cisco router...
but...
Any suggestion?
Thank you
Here is the working config (sections of) files
This is my connection section of Openswan's ipsec.conf (note the esp rule):
conn lambioi
type=tunnel
left=88.xxx.224.206
leftsubnet=10.6.100.0/24
right=85.yyy.zzz.198
rightsubnet=10.116.100.0/24
esp=3des-sha1,3des-md5,aes-md5,aes-sha1
keyexchange=ike
authby=secret
auto=add
This is the correct cisco ios file (router cisco 877)(note crypto isakmp
policy 1):
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname lambioirouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$...
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-2720181849
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2720181849
revocation-check none
rsakeypair TP-self-signed-2720181849
!
!
crypto pki certificate chain TP-self-signed-2720181849
certificate self-signed 01
30820252 ....
quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.116.100.254
!
ip dhcp pool sdm-pool1
import all
network 10.116.100.0 255.255.255.0
default-router 10.116.100.254
dns-server 151.aa.125.1
!
!
ip cef
no ip bootp server
ip domain name bellunum.com
ip name-server 151.aa.125.1
ip name-server 151.aa.0.100
!
!
!
!
username fede privilege 15 secret 5 $1$....
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key psk-lmb-b3llnm address 88.xxx.224.206
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
!
crypto map to-site2 10 ipsec-isakmp
set peer 88.xxx.224.206
set transform-set s1s2trans
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip address 85.yyy.zzz.198 255.255.255.252
ip mtu 1412
ip flow ingress
ip nat outside
ip virtual-reassembly
pvc 8/35
protocol ip 94.bbb.ddd.ccc broadcast
encapsulation aal5snap
!
crypto map to-site2
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.116.100.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 10.6.100.0 255.255.255.0 88.xxx.224.206
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map nonat interface ATM0.1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.116.100.0 0.0.0.255
access-list 101 permit ip 10.116.100.0 0.0.0.255 10.6.100.0 0.0.0.255
access-list 101 permit ip 10.6.100.0 0.0.0.255 10.116.100.0 0.0.0.255
access-list 150 deny ip 10.116.100.0 0.0.0.255 10.6.100.0 0.0.0.255
access-list 150 permit ip 10.116.100.0 0.0.0.255 any
no cdp run
!
!
!
route-map nonat permit 10
match ip address 150
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
....
-----------------------------------------------------------------------
^C
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
> -----Original message-----
> Da: users-bounces at openswan.org [mailto:users-bounces at openswan.org] Per
> conto di Federico Viel
> Inviato: giovedì 2 luglio 2009 10.29
> A: users at openswan.org
> Oggetto: [Openswan Users] Openswan <--> Cisco 877 VPN
>
> Hello,
> Im working on a site2site tunnel from Debian openswan to a Cisco 877
> router
> Everything seems fine but the tunnel do not start. Its like something is
> blocking the vpn start on the cisco 877 router.
> I think the problem is on cisco 877 router.
>
> I can reach pinging the openswan router from cisco 877 (I can see the
> DENY
> entry on log firewall of as below)
> Jun 29 16:03:18 localhost kernel:
> RULE 17 -- DENY IN=eth4 OUT= MAC=00:13:49:24:49:bb:00:17:59:97:b0:18:08:00
> SRC=85.yyy.zzz.198 DST=88.xx.224.206 LEN=100 TOS=0x00 PREC=0x00 TTL=252
> ID=16
> PROTO=ICMP TYPE=8 CODE=0 ID=3 SEQ=4
>
> but
>
> No other entries are visible on the openswan router firewalls log: I log
> everything (accepted also) coming from the cisco 877 adsl point-to-point
> IP
> . This looks like something is blocking the cisco 877 to put out vpn
> packet to initiate negotiation
.
>
> My Ipsec is as follow:
>
> # Lambioi-scale-mobili (10.6.100.0-10.116.100.0) connection
> conn lambioi
> type=tunnel
> left=88.xx.224.206
> leftid=@multifw.zxy.it
> leftsubnet=10.6.100.0/24
> right=85.yyy.zzz.198
> rightsubnet=10.116.100.0/24
> esp=3des-sha1
> keyexchange=ike
> authby=secret
> auto=add
>
>
>
>
> My Cisco 877 configuration is as follow
>
>
> lambioirouter#sh running-config
> Building configuration...
>
> Current configuration : 5928 bytes
> !
> version 12.4
> no service pad
> service tcp-keepalives-in
> service tcp-keepalives-out
> service timestamps debug datetime msec localtime show-timezone
> service timestamps log datetime msec localtime show-timezone
> service password-encryption
> service sequence-numbers
> !
> hostname lambioirouter
> !
> boot-start-marker
> boot-end-marker
> !
> logging message-counter syslog
> logging buffered 51200
> logging console critical
> enable secret 5 $1$.....
> !
> no aaa new-model
> clock timezone PCTime 1
> clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
> !
> crypto pki trustpoint TP-self-signed-2720181849
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-2720181849
> revocation-check none
> rsakeypair TP-self-signed-2720181849
> !
> !
> crypto pki certificate chain TP-self-signed-2720181849
> certificate self-signed 01
> 30820252
..
> quit
> dot11 syslog
> no ip source-route
> ip dhcp excluded-address 10.10.10.1
> ip dhcp excluded-address 10.116.100.254
> !
> ip dhcp pool sdm-pool1
> import all
> network 10.116.100.0 255.255.255.0
> default-router 10.116.100.254
> dns-server 151.99.125.1
> !
> !
> ip cef
> no ip bootp server
> ip domain name zxy.com
> ip name-server 151.99.125.1
> ip name-server 151.99.0.100
> !
> username fede privilege 15 secret 5 $1$0QL
!
>
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> crypto isakmp key pskey address 88.xx.224.206
> !
> crypto ipsec security-association lifetime seconds 86400
> !
> crypto ipsec transform-set s1s2trans esp-3des esp-md5-hmac
> !
> crypto map to-site2 10 ipsec-isakmp
> set peer 88.xx.224.206
> set transform-set s1s2trans
> match address 101
> !
> archive
> log config
> hidekeys
> !
> !
> ip tcp synwait-time 10
> ip ssh time-out 60
> ip ssh authentication-retries 2
> !
> !
> !
> interface ATM0
> no ip address
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip flow ingress
> no atm ilmi-keepalive
> !
> interface ATM0.1 point-to-point
> description $ES_WAN$$FW_OUTSIDE$
> ip address 85.yyy.zzz.198 255.255.255.252
> ip mtu 1412
> ip flow ingress
> ip nat outside
> ip virtual-reassembly
> pvc 8/35
> protocol ip 94.zz.cc.ss broadcast
> encapsulation aal5snap
> !
> crypto map to-site2
> !
> interface FastEthernet0
> !
> interface FastEthernet1
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface Vlan1
> description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
> ip address 10.116.100.254 255.255.255.0
> no ip redirects
> no ip unreachables
> no ip proxy-arp
> ip flow ingress
> ip nat inside
> ip virtual-reassembly
> ip tcp adjust-mss 1452
> !
> ip forward-protocol nd
> ip route 0.0.0.0 0.0.0.0 ATM0.1
> ip route 10.6.100.0 255.255.255.0 88.xx.224.206
> ip http server
> ip http access-class 23
> ip http authentication local
> ip http secure-server
> ip http timeout-policy idle 60 life 86400 requests 10000
> !
> ip nat inside source route-map nonat interface ATM0.1 overload
> !
> logging trap debugging
> access-list 1 remark INSIDE_IF=Vlan1
> access-list 1 remark SDM_ACL Category=2
> access-list 1 permit 10.10.10.0 0.0.0.255
> access-list 1 permit 10.116.100.0 0.0.0.255
> access-list 101 permit ip 10.116.100.0 0.0.0.255 10.6.100.0 0.0.0.255
> access-list 150 deny ip 10.116.100.0 0.0.0.255 10.6.100.0 0.0.0.255
> access-list 150 permit ip 10.116.100.0 0.0.0.255 any
> no cdp run
>
> !
> !
> !
> route-map nonat permit 10
> match ip address 150
> !
> !
> control-plane
> !!
> line con 0
> login local
> no modem enable
> transport output telnet
> line aux 0
> login local
> transport output telnet
> line vty 0 4
> privilege level 15
> login local
> transport input telnet ssh
> !
> scheduler max-task-time 5000
> scheduler allocate 4000 1000
> scheduler interval 500
> end***********************************************************************
> **
> **************
>
>
>
>
>
>
>
> This are some debug command
> On openswan router
> Fwr: Ipsec auto up lambioi
> Fwr:ipsec barf
>
>
> Jul 1 16:48:36 localhost pluto[12697]: "lambioi" #139: initiating Main
> Mode
> + _________________________ date
> + date
> Wed Jul 1 16:48:54 CEST 2009
>
>
>
>
>
>
>
>
>
> On cisco 877
>
> lambioirouter#sh crypto isakmp sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id status
> 85.yyy.zzz.198 88.xx.224.206 MM_SA_SETUP 0 ACTIVE
> 88.xx.224.206 85.yyy.zzz.198 MM_NO_STATE 0 ACTIVE
>
> IPv6 Crypto ISAKMP SA
>
> lambioirouter#show crypto ipsec sa
> PFS (Y/N): N, DH group: none
>
> interface: ATM0.1
> Crypto map tag: to-site2, local addr 85.yyy.zzz.198
>
> protected vrf: (none)
> local ident (addr/mask/prot/port): (10.116.100.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (10.6.100.0/255.255.255.0/0/0)
> current_peer 88.xx.224.206 port 500
> PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0
> #pkts not decompressed: 0, #pkts decompress failed: 0
> #send errors 11, #recv errors 0
>
> local crypto endpt.: 85.yyy.zzz.198, remote crypto endpt.:
> 88.xx.224.206
> path mtu 1412, ip mtu 1412, ip mtu idb ATM0.1
> current outbound spi: 0x0(0)
>
> inbound esp sas:
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
>
> outbound ah sas:
>
> outbound pcp sas:
>
>
>
> lambioirouter#show log
> Syslog logging: enabled (0 messages dropped, 0 messages rate-limited,
> 0 flushes, 0 overruns, xml disabled, filtering disabled)
>
> No Active Message Discriminator.
>
>
>
> No Inactive Message Discriminator.
>
>
> Console logging: level critical, 0 messages logged, xml disabled,
> filtering disabled
> Monitor logging: level debugging, 0 messages logged, xml disabled,
> filtering disabled
> Buffer logging: level debugging, 33 messages logged, xml disabled,
> filtering disabled
> Logging Exception size (4096 bytes)
> Count and timestamp logging messages: disabled
> Persistent logging: disabled
>
> No active filter modules.
>
> ESM: 0 messages dropped
>
> Trap logging: level debugging, 37 message lines logged
>
> Log Buffer (51200 bytes):
>
> *Mar 1 00:00:10.071: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
> change
> d to: Initialized
> *Mar 1 00:00:10.075: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State
> change
> d to: Enabled
> *Mar 1 00:00:11.659: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> ATM0,
> chan
> ged state to down
> *Mar 1 00:00:12.007: %LINK-3-UPDOWN: Interface FastEthernet0, changed
> state
> to
> up
> *Mar 1 00:00:13.103: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> FastEthern
> et0, changed state to up
> *Mar 1 00:00:37.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> SSLVPN-VIF
> 0, changed state to up
> 000007: *Mar 1 01:00:39.375 PCTime: %SYS-6-CLOCKUPDATE: System clock has
> been u
> pdated from 00:00:39 UTC Fri Mar 1 2002 to 01:00:39 PCTime Fri Mar 1 2002,
> confi
> gured from console by console.
> 000008: *Mar 1 01:00:39.379 PCTime: %SYS-6-CLOCKUPDATE: System clock has
> been u
> pdated from 01:00:39 PCTime Fri Mar 1 2002 to 01:00:39 PCTime Fri Mar 1
> 2002, co
> nfigured from console by console.
> 000009: *Mar 1 01:00:39.843 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face Vlan1, changed state to down
> 000010: *Mar 1 01:00:40.119 PCTime: %SYS-5-CONFIG_I: Configured from
> memory
> by
> console
> 000011: *Mar 1 01:07:30.551 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face NVI0, changed state to down
> 000012: *Mar 1 01:07:30.587 PCTime: %SYS-5-RESTART: System restarted --
> Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
> 12.4(22)T,
> REL
> EASE SOFTWARE (fc1)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2008 by Cisco Systems, Inc.
> Compiled Fri 10-Oct-08 12:57 by prod_rel_team
> 000013: *Mar 1 01:07:30.587 PCTime: %SNMP-5-COLDSTART: SNMP agent on host
> lambi
> oirouter is undergoing a cold start
> 000014: *Mar 1 01:07:30.627 PCTime: %SSH-5-ENABLED: SSH 1.99 has been
> enabled
> 000015: *Mar 1 01:07:30.683 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is
> OFF
> 000016: *Mar 1 01:07:30.683 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is
> OFF
> 000017: *Mar 1 01:07:31.907 PCTime: %LINK-5-CHANGED: Interface NVI0,
> changed st
> ate to administratively down
> 000018: *Mar 1 01:07:31.955 PCTime: %LINK-3-UPDOWN: Interface
> FastEthernet3, ch
> anged state to up
> 000019: *Mar 1 01:07:31.955 PCTime: %LINK-3-UPDOWN: Interface
> FastEthernet2, ch
> anged state to up
> 000020: *Mar 1 01:07:31.967 PCTime: %LINK-3-UPDOWN: Interface
> FastEthernet1, ch
> anged state to up
> 000021: *Mar 1 01:07:31.967 PCTime: %LINK-3-UPDOWN: Interface
> FastEthernet0, ch
> anged state to up
> 000022: *Mar 1 01:07:32.955 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face FastEthernet3, changed state to down
> 000023: *Mar 1 01:07:32.955 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face FastEthernet2, changed state to down
> 000024: *Mar 1 01:07:32.967 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face FastEthernet1, changed state to down
> 000025: *Mar 1 01:07:32.967 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face FastEthernet0, changed state to down
> 000026: *Mar 1 01:09:01.979 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face Vlan1, changed state to up
> 000027: *Mar 1 01:09:02.551 PCTime: %LINK-3-UPDOWN: Interface ATM0,
> changed
> sta
> te to up
> 000028: *Mar 1 01:09:03.551 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face ATM0, changed state to up
> 000029: *Mar 1 01:09:03.971 PCTime: %LINEPROTO-5-UPDOWN: Line protocol on
> Inter
> face FastEthernet1, changed state to up
> 000030: *Mar 1 01:10:37.599 PCTime: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
> 000031: *Mar 1 01:10:43.983 PCTime: %SYS-5-CONFIG_I: Configured from
> console by
> fede on vty0 (10.116.100.1)
> 000032: *Mar 1 01:10:49.651 PCTime: %CRYPTO-6-IKMP_MODE_FAILURE:
> Processing
> of
> Informational mode failed with peer at 88.xx.224.206
> 000033: *Mar 1 01:11:59.451 PCTime: %CRYPTO-6-IKMP_MODE_FAILURE:
> Processing
> of
> Informational mode failed with peer at 88.xx.224.206
>
>
>
>
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list