[Openswan Users] openswan to Cisco ASA. INVALID_COOKIE error.

Ryan McLeod r.mcleod20 at gmail.com
Wed Jul 7 15:41:08 EDT 2010 

I've got openswan installed on a virtual machine of ubuntu, ip:
192.168.92.128. It runs on a windows machine with an ip of 200.200.200.1,
which is connected by straight through cable to a Cisco ASA (200.200.200.2,
and 192.168.1.0 for its internal network). So this is just an internal setup
for testing some vpns with the cisco. I'm getting an error when trying to
connect open swan to the asa as a site-to-site vpn.

003 "tunnelipsec" #1: ignoring Vendor ID payload[FRAGMENTATION c000000]
106 "tunnelipsec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "tunnelipsec" #1: STATE_MAIN_I2: retransmission; will wait 20s for
response
003 "tunnelipsec" #1: ignoring informational payload, type INVALID_COOKIE
msgid=00000000
106 "tunnelipsec" #1: received and ignored informational message

My ipsec.conf looks like:

config setup
    plutodebug="all"
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    oe=off
    interfaces=%defaultroute
    klipsdebug=none

conn tunnelipsec
     type=                      tunnel
     authby=                  secret
     left=                        192.168.92.128
     leftnexthop=            200.200.200.2
     leftsubnet=              192.168.92.0/24
     right=                      200.200.200.1
     rightnexthop=          200.200.200.1
     rightsubnet=           192.168.1.0/24
     esp=                      3des-md5-96
     keyexchange=        ike
     pfs=                       no
     auto=                     route


The asa config: if you need more info than this let me know, just put what i
thought to be important.

access-list inside_nat0_outbound extended permit ip 192.168.1.0
255.255.255.0 192.168.92.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0
192.168.92.0 255.255.0.0
access-list outside_1_cryptomap extended permit ip host 200.200.200.2
192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip 192.168.92.0 255.255.255.0
192.168.1.0 255.255.255.0
access-list outside_access_in extended permit ip host 200.200.200.2
192.168.1.0 255.255.255.0


nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0

access-group outside_1_cryptomap in interface outside

route outside 192.168.92.0 255.255.255.0 200.200.200.2 1

no sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.168.92.128
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
   authentication pre-share
   encryption 3des
   hash md5
   group 2
   lifetime 86400

tunnel-group 200.200.200.1 type ipsec-l2l
tunnel-group 200.200.200.1 ipsec-attributes
pre-shared-key *

Thanks,

Ryan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100707/15b1fae7/attachment.html

More information about the Users mailing list