[Openswan Users] Cisco PIX

Paul Wouters paul at xelerance.com
Mon Jan 18 19:56:25 EST 2010 

On Mon, 18 Jan 2010, obelix wrote:

> I am triing to setup a Openswan connection to a CISCO pix. The both end
> networks are the same 192.168.1.0/24.
> I just need to access one IP in the other side, so we decided to create
> a virtual interface with 192.168.5.0/30 (5.1 in my end, 5.2 in the Cisco
> end) and nat-hide this connection, but I couldn't find how to create
> this virtual IP.

Use rightsubnet/leftsubnet for the private IP's. You need to configure an
IP alias with the ip yourself.

Paul

> *My ipsec.conf is :*
> version 2
> config setup
>    interfaces=%defaultroute
>    klipsdebug=none
>    plutodebug=none
>    nat_traversal=yes
>
> conn %default
>    keyingtries=3
>    #keylife=1200s
>    #ikelifetime=1200s
>
> conn swan-pix
>    authby=secret
>    type=tunnel
>    keyexchange=ike
>    ike=aes256-sha1
>    esp=aes256-sha1
>    pfs=no
>    left=10.10.1.20
>    right=x.x.x.x
>    auto=add
>
> # disable opportunistic encryption
> conn block
>    auto=ignore
>
> conn private
>    auto=ignore
>
> conn private-or-clear
>    auto=ignore
>
> conn clear-or-private
>    auto=ignore
> conn clear
>    auto=ignore
>
> conn packetdefault
>    auto=ignore
>
> *the PIX LOG error is:*
> Rejecting IPSEC tunnel: no matching crypto map entry for remote proxy
> 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface Bizfour
>
> I think he is waiting for a connection from 192.168.5.1
>
>
> *the tcpdump log is:*
>
> 15:26:01.426700 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 1
> I ident
> 15:26:01.456397 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 1
> R ident
> 15:26:01.457949 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 1
> I ident
> 15:26:01.509453 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 1
> R ident
> 15:26:01.511079 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase 1
> I ident[E]
> 15:26:01.552014 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase 1
> R ident[E]
> 15:26:01.552612 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 15:26:01.609582 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase
> 2/others R inf[E]
> 15:26:01.612739 IP pixconn.isakmp > openswanconnisakmp: isakmp: phase
> 2/others R inf[E]
> 15:26:01.613079 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I inf[E]
> 15:26:08.256883 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 15:26:11.260689 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 15:26:18.004849 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 15:26:20.007791 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
> 15:26:31.330577 IP openswanconnisakmp > pixconn.isakmp: isakmp: phase
> 2/others I oakley-quick[E]
>
>
>
> which config do I need ?
>
> Thanks in advance.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list