[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

[Whit Blauvelt]

> Debian/ubuntu ships horribly old openswan packages.

I've installed openswan-2.6.24 from source. Note compiling it required
libgmp3-dev, bison and flex, in addition to what I already happened to have
installed on the Ubuntu box.

> >At the Cisco end they prefer as defaults (but will alter if required):
> >
> >Phase 1 - pre-g2-3des-sha-86400s
> >Phase 2 - pfs2-esp-3des-sha-28800s
> >and a PSK (not cert)
> 
> Should work.

At the moment I'm stuck on:

# ipsec setup --start
ipsec_setup: Starting Openswan IPsec U2.6.24/K2.6.24-19-server...
ipsec_setup: no default routes detected

Is that a fatal error? My routing rules and tables are complex, so it's not
going to find a default route where it expects to if it's being simple
minded. I do have a specific route set to the other end:

# ip ro ls 
yy.yy.yy.222 via xx.xx.xx.97 dev eth5 src xx.xx.xx.114
...

And I can ping it by that route.

My ipsec.conf looks like:

version 2.0 

config setup
     klipsdebug="none"
     plutodebug="all"
     uniqueids=yes
     protostack=netkey

conn cisco
     type=tunnel
     left=xx.xx.xx.114 # my IP
     leftsubnet=192.168.1.0/24
     leftnexthop=xx.xx.xx.97
     leftid=@<fqdn>
     right=yy.yy.yy.222 # IP address of Cisco ASA 5510
     rightsubnet=zz.zz.zz.192/26  # LAN behind Cisco
     rightid=@<otherend>
     keyingtries=0
     pfs=yes
     auto=add
     auth=esp
     esp=3DES-SHA1
     ike=3DES-SHA1
     authby=secret

And it's obviously not getting anywhere yet:

# ipsec auto --up cisco
104 "cisco" #1: STATE_MAIN_I1: initiate
010 "cisco" #1: STATE_MAIN_I1: retransmission; will wait 20s for response
...

No sign this is an iptables problem - I've got the rules re-enabled there
that were working a while back for freeswan. 

Thanks for any clues,

Whit