[Openswan Users] site 2 site vpn openswan with cisco asa 5500

Kelly Kloen k.kloen at de-breul.nl
Thu Dec 2 09:20:29 EST 2010 

Hi there micheal.

Here is what my new config.

conn magister
        authby=secret
        keyingtries=0
        left=77.61.201.18
        leftsubnet=192.168.5.0/24
        leftnexthop=%defaultroute
        right=81.21.176.90
        rightsubnet=81.21.188.161/32
        rightnexthop=%defaultroute
        auto=start


i can ask for the cisco log but i think i don't get them.
I think it is in the SHA config.
It still see it like like cipher=oakley_md5
And they want a SHA

Is there a way to change that ?

-----Oorspronkelijk bericht-----
Van: Michael Smith [mailto:msmith at cbnco.com] 
Verzonden: donderdag 2 december 2010 14:54
Aan: Kelly Kloen
CC: users at openswan.org
Onderwerp: Re: [Openswan Users] site 2 site vpn openswan with cisco asa
5500

Kelly Kloen wrote:
> Local peer ( our external ip )                      : 77.61.201.201.18
> Local network ( our local network )        : 192.168.5.0/24
> Remote peer ( there external ip )           : 81.21.176.90
> Remote network (there local network): 81.21.188.161/32
> 
> Ipsec phase 1
> 
> Pre shared key                                                : 
> Ike policy encryption/auth/dhgroup      : 3DES /SHA / Group 2
> Security association phase 1                      : 86400 sec
> Ike negotiation mode                                   : main
> 
> Ipsec phase 2
> Ipsec esp encryption/esp authe              : 3DES /SHA
> Security assosiation phase 2                      : 28800 sec
> Perfect forward secrecy (PFS )                 : DH Group 2
> 

Hi Kelly,

> Conn nameconnection

>                 Keyexchange=ike
 >                 Type=tunnel

Remove these two lines - this is the default

>                 Ike=3des-md5
>                 Esp=3des-md5

Remove and just use the defaults (you have MD5, but the Cisco side is
configured for SHA)

>                 Authby=secret
>                 Keyingtries=0
>                 Left=77.61.201.18
>                 Leftsubnet=192.168.5.0/24
>                 Leftnexthop=77.61.201.17
>                 Right=81.21.176.90
>                 Rightsubnet=81.21.188.161/32
>                 Rightnexthop=%defaultroute
>                 Compres=no

Remove the last line - "compres" looks like a typo, and "compress=no" is
the default

>                 Auto=start
>                 Spi=0x0
>                 Pfs=no

Remove spi and pfs. The default for pfs, pfs=yes, is correct since the
Cisco is configured with PFS group 2.

> And then this is what i get in the secure log :
> 
> www.de-breul.com/log.jpg <http://www.de-breul.com/log.jpg>

You are halfway there - phase 1 (main mode) succeeded, and phase 2
(quick mode) failed because your settings didn't match the Cisco's.

Next time please paste the log instead of a screenshot :)

Mike

More information about the Users mailing list