[Openswan Users] site 2 site vpn openswan with cisco asa 5500

Michael Smith msmith at cbnco.com
Thu Dec 2 08:53:33 EST 2010


Kelly Kloen wrote:
> Local peer ( our external ip )                      : 77.61.201.201.18
> Local network ( our local network )        : 192.168.5.0/24
> Remote peer ( there external ip )           : 81.21.176.90
> Remote network (there local network): 81.21.188.161/32
> 
> Ipsec phase 1
> 
> Pre shared key                                                : 
> Ike policy encryption/auth/dhgroup      : 3DES /SHA / Group 2
> Security association phase 1                      : 86400 sec
> Ike negotiation mode                                   : main
> 
> Ipsec phase 2
> Ipsec esp encryption/esp authe              : 3DES /SHA
> Security assosiation phase 2                      : 28800 sec
> Perfect forward secrecy (PFS )                 : DH Group 2
> 

Hi Kelly,

> Conn nameconnection

>                 Keyexchange=ike
 >                 Type=tunnel

Remove these two lines - this is the default

>                 Ike=3des-md5
>                 Esp=3des-md5

Remove and just use the defaults (you have MD5, but the Cisco side is 
configured for SHA)

>                 Authby=secret
>                 Keyingtries=0
>                 Left=77.61.201.18
>                 Leftsubnet=192.168.5.0/24
>                 Leftnexthop=77.61.201.17
>                 Right=81.21.176.90
>                 Rightsubnet=81.21.188.161/32
>                 Rightnexthop=%defaultroute
>                 Compres=no

Remove the last line - "compres" looks like a typo, and "compress=no" is 
the default

>                 Auto=start
>                 Spi=0x0
>                 Pfs=no

Remove spi and pfs. The default for pfs, pfs=yes, is correct since the 
Cisco is configured with PFS group 2.

> And then this is what i get in the secure log :
> 
> www.de-breul.com/log.jpg <http://www.de-breul.com/log.jpg>

You are halfway there - phase 1 (main mode) succeeded, and phase 2 
(quick mode) failed because your settings didn't match the Cisco's.

Next time please paste the log instead of a screenshot :)

Mike


More information about the Users mailing list