[Openswan Users] rightsubnet parameter question
Ronald
loloski at yahoo.com
Thu Nov 5 09:27:51 EST 2009
Paul,
Many thanks for your help, this is the config on the cisco side. can you take a look at this and suggest the proper
ike and esp line on my side?
with this config my configuration is
ike = aes_sha1
esp = aes_sha1
is this correct ?
crypto isakmp policy 45
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp key secret address 122.55.48.156
crypto ipsec transform-set sha-aes esp-aes esp-sha-hmac
crypto map generic 170 ipsec-isakmp
description ** VPN to Client **
set peer 122.55.48.156
set transform-set sha-aes
match address vpnclient
ip access-list extended vpnclient
permit ip host 208.77.116.46 10.8.44.0 0.0.0.255
PSC-XVPN1# sh cry isa sa
dst src state conn-id slot
210.5.121.100 122.55.48.156 QM_IDLE 940 0
PSC-XVPN1#
Oct 30 12:31:33.592: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Quick mode failed with peer at 122.55.48.156
Best regards,
Ronaldo Chan
________________________________
From: Paul Wouters <paul at xelerance.com>
To: Ronald <loloski at yahoo.com>
Sent: Thu, November 5, 2009 8:19:44 PM
Subject: Re: [Openswan Users] rightsubnet parameter question
On Thu, 5 Nov 2009, Ronald wrote:
> Thanks for your reply, yes the config i attach is just what i had in mind sorry, yes we do the
> authentication via pre-shared key.
Ok.
> pfs is disabled on cisco side. xauth this is my problem since according to the admin he has no setting
> with this. on part on the crypto map definition.
>
> no-xauth no-config-mode option
Then your config looks fine, so you might only need to change the ike= and esp= line to
the values the cisco has configured.
Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20091105/a7271b1e/attachment.html
More information about the Users
mailing list