[Openswan Users] rightsubnet parameter question

Ronald loloski at yahoo.com
Thu Nov 5 09:27:51 EST 2009


Many thanks for your help, this is the config on the cisco side. can you take a look at this and suggest the proper 
ike and esp line on my side?

with this config my configuration is

ike = aes_sha1
esp = aes_sha1

is this correct ?

crypto isakmp policy 45
 encr aes
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key secret address
crypto ipsec transform-set sha-aes esp-aes esp-sha-hmac
crypto map generic 170 ipsec-isakmp 
 description ** VPN to Client **

 set peer
 set transform-set sha-aes 
 match address vpnclient

ip access-list extended vpnclient

 permit ip host
PSC-XVPN1#   sh cry isa sa
dst             src             state          conn-id slot   QM_IDLE            940    0
Oct 30 12:31:33.592: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Quick mode failed with peer at  

Best regards,

Ronaldo Chan

From: Paul Wouters <paul at xelerance.com>
To: Ronald <loloski at yahoo.com>
Sent: Thu, November 5, 2009 8:19:44 PM
Subject: Re: [Openswan Users] rightsubnet parameter question

On Thu, 5 Nov 2009, Ronald wrote:

> Thanks for your reply, yes the config i attach is just what i had in mind sorry, yes we do the
> authentication via pre-shared key.


> pfs is disabled on cisco side. xauth this is my problem since according to the admin he has no setting
> with this. on part on the crypto map definition.
> no-xauth no-config-mode option

Then your config looks fine, so you might only need to change the ike= and esp= line to
the values the cisco has configured.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091105/a7271b1e/attachment.html 

More information about the Users mailing list