[Openswan Users] site 2 site vpn openswan with cisco asa 5500
Michael Smith
msmith at cbnco.com
Thu Dec 2 08:53:33 EST 2010
Kelly Kloen wrote:
> Local peer ( our external ip ) : 77.61.201.201.18
> Local network ( our local network ) : 192.168.5.0/24
> Remote peer ( there external ip ) : 81.21.176.90
> Remote network (there local network): 81.21.188.161/32
>
> Ipsec phase 1
>
> Pre shared key :
> Ike policy encryption/auth/dhgroup : 3DES /SHA / Group 2
> Security association phase 1 : 86400 sec
> Ike negotiation mode : main
>
> Ipsec phase 2
> Ipsec esp encryption/esp authe : 3DES /SHA
> Security assosiation phase 2 : 28800 sec
> Perfect forward secrecy (PFS ) : DH Group 2
>
Hi Kelly,
> Conn nameconnection
> Keyexchange=ike
> Type=tunnel
Remove these two lines - this is the default
> Ike=3des-md5
> Esp=3des-md5
Remove and just use the defaults (you have MD5, but the Cisco side is
configured for SHA)
> Authby=secret
> Keyingtries=0
> Left=77.61.201.18
> Leftsubnet=192.168.5.0/24
> Leftnexthop=77.61.201.17
> Right=81.21.176.90
> Rightsubnet=81.21.188.161/32
> Rightnexthop=%defaultroute
> Compres=no
Remove the last line - "compres" looks like a typo, and "compress=no" is
the default
> Auto=start
> Spi=0x0
> Pfs=no
Remove spi and pfs. The default for pfs, pfs=yes, is correct since the
Cisco is configured with PFS group 2.
> And then this is what i get in the secure log :
>
> www.de-breul.com/log.jpg <http://www.de-breul.com/log.jpg>
You are halfway there - phase 1 (main mode) succeeded, and phase 2
(quick mode) failed because your settings didn't match the Cisco's.
Next time please paste the log instead of a screenshot :)
Mike
More information about the Users
mailing list