[Openswan Users] LAN to LAN tunnel to a Cisco ASA firewall

Maverick maverick.pt at gmail.com
Tue Jun 2 11:36:31 EDT 2009

I've got a public ip address but my openswan machine is behind a router.

I'm forwarding the 4500 udp port on the router to the lan ip of my openswan

When I try to turn on the tunnel "ipsec auto --up cisco" I get this error:

022 "cisco": We cannot identify ourselves with either end of this

What could be the problem?

-----Original Message-----
From: Peter McGill [mailto:petermcgill at goco.net] 
Sent: sexta-feira, 29 de Maio de 2009 17:38
To: 'Maverick'; users at openswan.org
Subject: RE: [Openswan Users] LAN to LAN tunnel to a Cisco ASA firewall

Assuming your openswan machine has a public ip address and is not being

Add to /etc/ipsec.conf:
conn cisco
	left=your public ip, ie
	leftsubnet=your private lan, ie
	leftsourceip=server private ip, ie
	right=cisco public ip
	rightsubnet=cisco private lan
	auto=start # always on; or auto=add and ipsec auto --up cisco for
manual connect

Add to /etc/ipsec.secrets:
your_public_ip cisco_public_ip : PSK "xxxxxxxxxxxx"

If doesn't connect, you may also need to know the names the cisco assigned
to each side of the tunnel.
In which case add leftid=@your name and rightid=@cisco name

Also be sure not to block the ipsec or tunnel traffic with your iptables

Peter McGill
IT Systems Analyst
Gra Ham Energy Limited 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Maverick
> Sent: May 29, 2009 12:08 PM
> To: users at openswan.org
> Subject: [Openswan Users] LAN to LAN tunnel to a Cisco ASA firewall
> Hi,
> I've been told that is possible to make a lan to lan tunnel 
> connecting a linux box to a cisco asa firewall with openswan.
> The configurations on the cisco side are these ones:
> PSK: xxxxxxxxxxxx
> IKE (PHASE 1) : AES-256, SHA, DH5
> IPSEC (PHASE 2): AES-256, SHA, PFS enabled
> Can someone help me out how to configure openswan to connect 
> to the cisco firewall with those settings?

More information about the Users mailing list