[Openswan Users] Cisco PIX

Mon Jan 18 16:54:20 EST 2010

I am triing to setup a Openswan connection to a CISCO pix. The both end 
networks are the same 192.168.1.0/24.
I just need to access one IP in the other side, so we decided to create 
a virtual interface with 192.168.5.0/30 (5.1 in my end, 5.2 in the Cisco 
end) and nat-hide this connection, but I couldn't find how to create 
this virtual IP.

*My ipsec.conf is :*
version 2
config setup
    interfaces=%defaultroute
    klipsdebug=none
    plutodebug=none
    nat_traversal=yes

conn %default
    keyingtries=3
    #keylife=1200s
    #ikelifetime=1200s

conn swan-pix
    authby=secret
    type=tunnel
    keyexchange=ike
    ike=aes256-sha1
    esp=aes256-sha1
    pfs=no
    left=10.10.1.20
    right=x.x.x.x
    auto=add

# disable opportunistic encryption
conn block
    auto=ignore

conn private
    auto=ignore

conn private-or-clear
    auto=ignore

conn clear-or-private
    auto=ignore
conn clear
    auto=ignore

conn packetdefault
    auto=ignore

*the PIX LOG error is:*
Rejecting IPSEC tunnel: no matching crypto map entry for remote proxy 
0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface Bizfour

I think he is waiting for a connection from 192.168.5.1

*the tcpdump log is:*

15:26:01.426700 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 1 
I ident
15:26:01.456397 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 1 
R ident
15:26:01.457949 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 1 
I ident
15:26:01.509453 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 1 
R ident
15:26:01.511079 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 1 
I ident[E]
15:26:01.552014 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 1 
R ident[E]
15:26:01.552612 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I oakley-quick[E]
15:26:01.609582 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 
2/others R inf[E]
15:26:01.612739 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 
2/others R inf[E]
15:26:01.613079 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I inf[E]
15:26:08.256883 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I oakley-quick[E]
15:26:11.260689 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I oakley-quick[E]
15:26:18.004849 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I oakley-quick[E]
15:26:20.007791 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I oakley-quick[E]
15:26:31.330577 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 
2/others I oakley-quick[E]

which config do I need ?

Thanks in advance.