[Openswan Users] Openswan connection to a cisco ASA 5510

Sjef Kruiper skruiper at mendelcollege.nl
Fri Jul 2 02:08:35 EDT 2010 

Hello,

After strugeling with openswan for more then two days it's time for me to ask
help on the configuration of our IPSEC connection.

We have the following situation
Our site CentOS based clearOS firewall with the public ip 1.1.1.34
Supplier site an Cisco ASA 5510 with the public ip 2.2.2.189

This are the settings I should use according to the cisco system administrator:
 
Network
 
Local peer: 1.1.1.34 
Local network :   172.16.0.0/16  
Remote peer:  2.2.2.189
Remote network (Schoolwerkplek):   2.2.3.7/32 
 
IPsec Phase 1 
 
Proxy ID:      vpn.notme.nl (not necessary)
Pre Shared Key:      123456789 
IKE Policy Encryption / Authentication / DH Group:  3DES / SHA / Group 2 
Security Association Phase 1:    86400 sec. 
IKE Negotiation Mode     Main 
 
IPsec Phase 2 
 
IPSec ESP Encryption / ESP Authentication:   3DES / SHA 
Security Association Phase 2:    28800 sec. 
Perfect Forward Secrecy (PFS)    DH Group 2 
 

After intensive googleing I'm now using the following settings in ipsec.conf

-------------------------------
version 2.0

config setup
        klipsdebug=all
        plutodebug=all
        uniqueids=yes
        interfaces="ipsec0=eth0"

conn tunnelmwp
        type=tunnel
        left=1.1.1.34
        leftsubnet=172.16.0.0/16
        leftnexthop=%defaultroute
        right=2.2.2.90
        rightsubnet=2.2.3.7/32
        rightnexthop=%defaultroute
        esp=3des-md5-96
        ike=3DES-SHA1
        keyexchange=ike
        ikelifetime=240m
        authby=secret
        pfs=no
        auto=start
        compress=no
        disablearrivalcheck=no
        keylife=60m
        keyingtries=3
        phase2=esp
        phase2alg=3DES-SHA1


# Disable OE
#-----------

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore
-----------------------------------


ipsec.secrets
-----------------------------------

%any 81.21.176.90: PSK "123456789"
-----------------------------------

The version of OpenSWAN we use:
Version: 2.6.21
Release: 5.el5_4.2

This version is included with clearOS and the lastest available in their repo

Talking with the system administrator @ the cisco site I understand that we have
no problems with PHASE1 but PHASE2 won't sucseed

Hope anyone can give some suggestions.

More information about the Users mailing list