[Openswan Users] OpenSwan and Cisco ASA

Emilio García emilio.garcia at cloudreach.co.uk
Fri Jun 4 04:54:01 EDT 2010 

I am trying to connect to Cisco ASA using OpenSwan on a Ubuntu Hardy
(NATted). Im getting the tunnel up but I cannot ping anything between them.
Aditionally I have another subnetwork 172.100.100.x I want to route trough
that tunnel also, so in Cisco ASA we configured it this IPSec tunnel to
accept traffic from both networks and in the linux box we enabled IP
Forwarding.

root at hostname:/home/ubuntu#  ipsec whack --name connname --initiate
002 "conname" #1: initiating Main Mode
104 "conname" #1: STATE_MAIN_I1: initiate
003 "conname" #1: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "conname" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
002 "conname" #1: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-02/03
002 "conname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "conname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "conname" #1: received Vendor ID payload [Cisco-Unity]
003 "conname" #1: received Vendor ID payload [XAUTH]
003 "conname" #1: ignoring unknown Vendor ID payload
[af0b2f2b6db2bf2f75de7d071864b8c5]
003 "conname" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
002 "conname" #1: I did not send a certificate because I do not have one.
003 "conname" #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
002 "conname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "conname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "conname" #1: received Vendor ID payload [Dead Peer Detection]
002 "conname" #1: Main mode peer ID is ID_IPV4_ADDR: '81.x.x.x'
002 "conname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "conname" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
002 "conname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
isakmp#1}
117 "conname" #2: STATE_QUICK_I1: initiate
002 "conname" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
004 "conname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP/NAT=>0x6fda3167 <0x13d53d8b xfrm=3DES_0-HMAC_SHA1 NATD=81.x.x.x:4500
DPD=none}

This is my config file:

# basic configuration
config setup
     klipsdebug=all
     plutodebug=all
     nat_traversal=yes
     nhelpers=1
     interfaces="ipsec0=eth0"

# Add connections here
conn morrison
     type=tunnel
     left=10.228.105.171
     leftid=79.x.x.x
     right=81.x.x.x #IP address of your morrison router
     rightsubnet=172.16.200.0/24
     rightid=81.x.x.x
     authby=secret
     auto=add
     auth=esp
     esp=3des-sha1
     ike=3des-sha1-modp1024
     pfs=no
     forceencaps=yes
#     keyingtries=1
#     aggrmode=yes

# sample VPN connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

And my ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.9/K2.6.24-10-xen (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

On the CISCO ASA I'm getting this:
No translation group found for udp src outside: 10.228.105.171/44079 dst
inside: 172.16.200.95/33522

We have spent days on it and we cannot make it work.

Thank you in advance.

Cloudreach Limited is a limited company registered in England with registered number 06975407

The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.

This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100604/91ae6afd/attachment-0001.html

More information about the Users mailing list