[Openswan Users] L2L vpn to Cisco VPN3000

Antonio Fernandes af465 at netcabo.pt
Thu Sep 17 14:46:48 EDT 2009 

Hi

I am trying to use for the first time, openswan to establish an IPsec 
tunel lan 2 lan with a Cisco ASA that identifies itself as a Cisco VPN3000.

After studing and testing for a while i come to a situation that 
aparenttly looks ok, but after a close look, the status says that there 
are no tunel active neither apear any ipsec device.

The commands and config files folows that explanatin!

Did any one have made a tunel in a similar situation? Can any one help me?

thanks
Antonio
--------------------------------------------

*sh> ipsec setup --restart*
 >ipsec_setup: Stopping Openswan IPsec...
 >ipsec_setup: Starting Openswan IPsec U2.6.19/K2.6.22.19-desktop586-2mdv...

*sh> ipsec auto --up ifdr*
 >104 "ifdr" #1: STATE_MAIN_I1: initiate
 >003 "ifdr" #1: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
 >003 "ifdr" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
 >106 "ifdr" #1: STATE_MAIN_I2: sent MI2, expecting MR2
 >003 "ifdr" #1: received Vendor ID payload [Cisco-Unity]
 >003 "ifdr" #1: received Vendor ID payload [XAUTH]
 >003 "ifdr" #1: ignoring unknown Vendor ID payload 
[1ae461f9075e08cbf597f795e2aec0d5]
 >003 "ifdr" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
 >003 "ifdr" #1: NAT-Traversal: Result using 
draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
 >108 "ifdr" #1: STATE_MAIN_I3: sent MI3, expecting MR3
 >003 "ifdr" #1: discarding duplicate packet; already STATE_MAIN_I3
 >003 "ifdr" #1: received Vendor ID payload [Dead Peer Detection]
 >004 "ifdr" #1: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY >cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
 >117 "ifdr" #2: STATE_QUICK_I1: initiate
 >004 "ifdr" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel 
mode {ESP=>0x6bfb6622 ><0x85701451 xfrm=3DES_0-HMAC_SHA1 NATOA=none 
NATD=none DPD=none}

*sh> ipsec setup --status*
 >IPsec running  - pluto pid: 1471
 >pluto pid 1471
 >No tunnels up

*sh> ipsec auto --status*
 >000 using kernel interface: netkey
 >000 interface lo/lo ::1
 >000 interface lo/lo 127.0.0.1
 >000 interface lo/lo 127.0.0.1
 >000 interface eth4/eth4 162.128.22.6
 >000 interface eth4/eth4 162.128.22.6
 >000 interface eth0/eth0 10.11.0.5
 >000 interface eth0/eth0 10.11.0.5
 >000 interface tun0/tun0 10.9.0.1
 >000 interface tun0/tun0 10.9.0.1
 >000 %myid = (none)
 >000 debug 
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
 >000
 >000 virtual_private (%priv):
 >000 - allowed 2 subnets: 10.11.0.0/16, 192.168.0.0/24
 >000 - disallowed 0 subnets:
 >000 WARNING: Either virtual_private= was not specified, or there was a 
syntax
 >000          error in that line. 'left/rightsubnet=%priv' will not work!
 >000
 >000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
 >000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, 
keysizemin=192, keysizemax=192
 >000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, 
keysizemin=40, keysizemax=448
 >000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, 
keysizemin=0, keysizemax=0
 >000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
 >000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
 >000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
 >000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
 >000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, 
keysizemin=128, keysizemax=128
 >000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, 
keysizemax=0
 >000
 >000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
 >000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, 
blocksize=8, keydeflen=128
 >000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
 >000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
 >000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, 
blocksize=16, keydeflen=128
 >000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, 
blocksize=16, keydeflen=128
 >000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, 
blocksize=16, keydeflen=128
 >000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
 >000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
 >000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
 >000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
 >000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
 >000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
 >000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
 >000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
 >000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
 >000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
 >000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
 >000
 >000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8,36} 
trans={0,8,840} attrs={0,8,1120}
 >000
 >000 "ifdr": 
10.11.0.0/16===62.28.122.6<62.28.122.6>[+S=C]---62.28.122.5...194.65.92.231<194.65.92.231>[+S=C]===192.168.0.0/24; 
prospective erouted; eroute owner: #0
 >000 "ifdr":     myip=unset; hisip=unset;
 >000 "ifdr":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 0
 >000 "ifdr":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; 
prio: 16,24; interface: eth4;
 >000 "ifdr":   newest ISAKMP SA: #0; newest IPsec SA: #0;
 >000 "ifdr":   IKE algorithms wanted: 
3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=-strict
 >000 "ifdr":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-2,
 >000 "ifdr":   ESP algorithms wanted: 3DES(3)_000-SHA1(2); 
pfsgroup=MODP1024(2); flags=-strict
 >000 "ifdr":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
 >000
 >000 #15: "ifdr":500 STATE_MAIN_I2 (sent MI2, expecting MR2); 
EVENT_CRYPTO_FAILED in 298s; nodpd; crypto_calculating; import:admin 
initiate
 >000 #15: pending Phase 2 for "ifdr" replacing #0
 >000


ipsec.conf
--------------------------------------------------------------------------------------------
version 2.0

config setup
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=all
        nat_traversal=yes
        oe=off
        protostack=netkey
        virtual_private=%v4:10.11.0.0/16,%v4:192.168.0.0/24
conn ifdr
        type=           tunnel
        authby=         secret
        left=           162.128.22.16 (not real)
        leftnexthop=    162.128.22.15 (not real)
        leftsubnet=     10.11.0.0/16
        right=          19.65.92.231 (not real)
        rightsubnet=    192.168.0.0/24

        keyexchange=    ike
        ike=            3des-sha1-modp1024
        esp=            3des-sha1;modp1024
        pfs=            yes
        auto=           add

ipsec.secrets
------------------------------------------------------------------------
162.128.22.16 19.65.92.231: PSK "1234567"

More information about the Users mailing list