[Openswan Users] OpenSwan and Cisco ASA

Paul Wouters paul at xelerance.com
Fri Jun 4 11:24:49 EDT 2010


On Fri, 4 Jun 2010, Emilio García wrote:

> I am trying to connect to Cisco ASA using OpenSwan on a Ubuntu Hardy (NATted). Im getting the tunnel up but I cannot ping
> anything between them. Aditionally I have another subnetwork 172.100.100.x I want to route trough that tunnel also, so in Cisco
> ASA we configured it this IPSec tunnel to accept traffic from both networks and in the linux box we enabled IP Forwarding.

1) Cisco's are known to "accept" proposals which they then subsequently drop packet for, violating local policy.
    So this could still be a misconfiguration

2) enableing IP forwarding is required, but not relevant to "the second subnet". You cannot "route" into ipsec.
    You need a second policy. The simplest way is to add another "conn" section with the different subnet.

Paul

> root at hostname:/home/ubuntu#  ipsec whack --name connname --initiate
> 002 "conname" #1: initiating Main Mode
> 104 "conname" #1: STATE_MAIN_I1: initiate
> 003 "conname" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> 003 "conname" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 002 "conname" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
> 002 "conname" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> 106 "conname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "conname" #1: received Vendor ID payload [Cisco-Unity]
> 003 "conname" #1: received Vendor ID payload [XAUTH]
> 003 "conname" #1: ignoring unknown Vendor ID payload [af0b2f2b6db2bf2f75de7d071864b8c5]
> 003 "conname" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 002 "conname" #1: I did not send a certificate because I do not have one.
> 003 "conname" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
> 002 "conname" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> 108 "conname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "conname" #1: received Vendor ID payload [Dead Peer Detection]
> 002 "conname" #1: Main mode peer ID is ID_IPV4_ADDR: '81.x.x.x'
> 002 "conname" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> 004 "conname" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 002 "conname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> 117 "conname" #2: STATE_QUICK_I1: initiate
> 002 "conname" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> 004 "conname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP/NAT=>0x6fda3167 <0x13d53d8b xfrm=3DES_0-HMAC_SHA1
> NATD=81.x.x.x:4500 DPD=none}
> 
> This is my config file:
> 
> # basic configuration
> config setup
>      klipsdebug=all
>      plutodebug=all
>      nat_traversal=yes
>      nhelpers=1
>      interfaces="ipsec0=eth0"
> 
> # Add connections here
> conn morrison
>      type=tunnel
>      left=10.228.105.171
>      leftid=79.x.x.x
>      right=81.x.x.x #IP address of your morrison router
>      rightsubnet=172.16.200.0/24
>      rightid=81.x.x.x
>      authby=secret
>      auto=add
>      auth=esp
>      esp=3des-sha1
>      ike=3des-sha1-modp1024
>      pfs=no
>      forceencaps=yes
> #     keyingtries=1
> #     aggrmode=yes
> 
> # sample VPN connections, see /etc/ipsec.d/examples/
> 
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
> 
> And my ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan U2.4.9/K2.6.24-10-xen (netkey)
> Checking for IPsec support in kernel                            [OK]
> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
> 
> On the CISCO ASA I'm getting this:
> No translation group found for udp src outside: 10.228.105.171/44079 dst inside: 172.16.200.95/33522
> 
> We have spent days on it and we cannot make it work.
> 
> Thank you in advance.
>
>  Cloudreach Limited is a limited company registered in England with registered number 06975407
> 
> The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.
> 
> This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.
> 
>


More information about the Users mailing list