[Openswan Users] OpenSwan and Cisco ASA

Emilio García emilio.garcia at cloudreach.co.uk
Fri Jun 4 11:49:51 EDT 2010


Thanks for your answer Paul,

The problem I'm actually having is that I have 2 interfaces one is eth0
10.x.y.1/24 and the other one is a OpenVPN tun0 172.100.100.1/24 so Cisco
administrators says that if we allow packets from 10.x we cannot send 172.x
packets and viceversa. We are only interested in having traffic in the
172.100.100.x OpenVPN network. But if I use the 172.100.100.1 IP in left I
cannot even complete the IKE phase. Also I tried using leftipsource but then
again the Cisco ASA says than they are getting 10.x.y.1 packets instead of
172.100.100.1.

So I'm wondering if there would be a way to use the tun0 interface IP
instead of the eth0 one when sending packages after bringing the tunnel up.
(I tried interfaces="ipsec0=tun0" but it didnt change anything).

Regarding 2)
Do you mean it is possible to create an IPSec tunnel between OpenSwan and
CiscoSAS so you can actually send IP packets from both 10.x.y.z/24 and
172.100.100.x/24 even being left a 10.x.y.z IP??? Should be left be the same
10.x ip in both connections?

Regards.



2010/6/4 Paul Wouters <paul at xelerance.com>

> On Fri, 4 Jun 2010, Emilio García wrote:
>
>  I am trying to connect to Cisco ASA using OpenSwan on a Ubuntu Hardy
>> (NATted). Im getting the tunnel up but I cannot ping
>> anything between them. Aditionally I have another subnetwork 172.100.100.x
>> I want to route trough that tunnel also, so in Cisco
>> ASA we configured it this IPSec tunnel to accept traffic from both
>> networks and in the linux box we enabled IP Forwarding.
>>
>
> 1) Cisco's are known to "accept" proposals which they then subsequently
> drop packet for, violating local policy.
>   So this could still be a misconfiguration
>
> 2) enableing IP forwarding is required, but not relevant to "the second
> subnet". You cannot "route" into ipsec.
>   You need a second policy. The simplest way is to add another "conn"
> section with the different subnet.
>
> Paul
>
>  root at hostname:/home/ubuntu#  ipsec whack --name connname --initiate
>> 002 "conname" #1: initiating Main Mode
>> 104 "conname" #1: STATE_MAIN_I1: initiate
>> 003 "conname" #1: received Vendor ID payload
>> [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>> 003 "conname" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
>> 002 "conname" #1: enabling possible NAT-traversal with method
>> draft-ietf-ipsec-nat-t-ike-02/03
>> 002 "conname" #1: transition from state STATE_MAIN_I1 to state
>> STATE_MAIN_I2
>> 106 "conname" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> 003 "conname" #1: received Vendor ID payload [Cisco-Unity]
>> 003 "conname" #1: received Vendor ID payload [XAUTH]
>> 003 "conname" #1: ignoring unknown Vendor ID payload
>> [af0b2f2b6db2bf2f75de7d071864b8c5]
>> 003 "conname" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>> 002 "conname" #1: I did not send a certificate because I do not have one.
>> 003 "conname" #1: NAT-Traversal: Result using
>> draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
>> 002 "conname" #1: transition from state STATE_MAIN_I2 to state
>> STATE_MAIN_I3
>> 108 "conname" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> 003 "conname" #1: received Vendor ID payload [Dead Peer Detection]
>> 002 "conname" #1: Main mode peer ID is ID_IPV4_ADDR: '81.x.x.x'
>> 002 "conname" #1: transition from state STATE_MAIN_I3 to state
>> STATE_MAIN_I4
>> 004 "conname" #1: STATE_MAIN_I4: ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
>> group=modp1024}
>> 002 "conname" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using
>> isakmp#1}
>> 117 "conname" #2: STATE_QUICK_I1: initiate
>> 002 "conname" #2: transition from state STATE_QUICK_I1 to state
>> STATE_QUICK_I2
>> 004 "conname" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
>> {ESP/NAT=>0x6fda3167 <0x13d53d8b xfrm=3DES_0-HMAC_SHA1
>> NATD=81.x.x.x:4500 DPD=none}
>>
>> This is my config file:
>>
>> # basic configuration
>> config setup
>>      klipsdebug=all
>>      plutodebug=all
>>      nat_traversal=yes
>>      nhelpers=1
>>      interfaces="ipsec0=eth0"
>>
>> # Add connections here
>> conn morrison
>>      type=tunnel
>>      left=10.228.105.171
>>      leftid=79.x.x.x
>>      right=81.x.x.x #IP address of your morrison router
>>      rightsubnet=172.16.200.0/24
>>      rightid=81.x.x.x
>>      authby=secret
>>      auto=add
>>      auth=esp
>>      esp=3des-sha1
>>      ike=3des-sha1-modp1024
>>      pfs=no
>>      forceencaps=yes
>> #     keyingtries=1
>> #     aggrmode=yes
>>
>> # sample VPN connections, see /etc/ipsec.d/examples/
>>
>> #Disable Opportunistic Encryption
>> include /etc/ipsec.d/examples/no_oe.conf
>>
>> And my ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                                 [OK]
>> Linux Openswan U2.4.9/K2.6.24-10-xen (netkey)
>> Checking for IPsec support in kernel                            [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects       [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
>>   ipsec showhostkey: no default key in "/etc/ipsec.secrets"
>> Checking that pluto is running                                  [OK]
>> Two or more interfaces found, checking IP forwarding            [OK]
>> Checking NAT and MASQUERADEing                                  [OK]
>> Checking for 'ip' command                                       [OK]
>> Checking for 'iptables' command                                 [OK]
>> Opportunistic Encryption Support                                [DISABLED]
>>
>> On the CISCO ASA I'm getting this:
>> No translation group found for udp src outside: 10.228.105.171/44079 dst
>> inside: 172.16.200.95/33522
>>
>> We have spent days on it and we cannot make it work.
>>
>> Thank you in advance.
>>
>>  Cloudreach Limited is a limited company registered in England with
>> registered number 06975407
>>
>> The above terms reflect a potential business arrangement, are provided
>> solely as a basis for further discussion, and are not intended to be and do
>> not constitute a legally binding obligation. No legally binding obligations
>> will be created, implied, or inferred until an agreement in final form is
>> executed in writing by all parties involved.
>>
>> This email may be confidential or privileged. If you received this
>> communication by mistake, please don't forward it to anyone else, please
>> erase all copies and attachments, and please let us know that it has gone to
>> the wrong person.
>>
>>
>>

Cloudreach Limited is a limited company registered in England with registered number 06975407

The above terms reflect a potential business arrangement, are provided solely as a basis for further discussion, and are not intended to be and do not constitute a legally binding obligation. No legally binding obligations will be created, implied, or inferred until an agreement in final form is executed in writing by all parties involved.

This email may be confidential or privileged. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let us know that it has gone to the wrong person.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100604/b48218f9/attachment.html 


More information about the Users mailing list