[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510
Whit Blauvelt
whit at transpect.com
Tue Mar 9 13:43:18 EST 2010
On Tue, Mar 09, 2010 at 01:20:56PM -0500, Avesh Agarwal wrote:
> >No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> Exactly what it says that your cisco does not like the proposals
> sent by openswan end. Verify your cisco side settings (encryption
> lago, hash algo and DH groups) with the ones you set with openswan
> and see if there is any mismatch.
Thanks Avesh. I'm looking. But I can't see the mismatch yet. The Cisco (I'm
told) is set like this:
IPsec Phase I: pre-g2-3des-sha-86400s
IPsec Phase II: pfs2-esp-3des-sha-28800s
And my ipsec.conf looks like this:
version 2.0
config setup
klipsdebug="none"
plutodebug="all"
uniqueids=yes
protostack=netkey
conn cisco
type=tunnel
left=xx.xx.xx.114 # my IP
leftsubnet=192.168.1.0/24
leftnexthop=xx.xx.xx.97
leftid=@<fqdn>
right=yy.yy.yy.222 # IP address of Cisco ASA 5510
rightsubnet=zz.zz.zz.192/26 # LAN behind Cisco
rightid=yy.yy.yy.222
keyingtries=0
pfs=yes
auto=add
auth=esp
esp=3DES-SHA1
ike=3DES-SHA1
authby=secret
The only thing that jumps at me is the possibility that "pfs2" at the Cisco
is not compatible with "pfs" at my end. Would that be the case? I see no
mention of pfs2 in the docs in the tar. But from a note elsewhere -
http://tristesse.org/OpenswanAnnoyances - it looks like Cisco's "pfs2" and
Openswan's "pfs" should be the same thing, right?
Another note in that same page suggests I may need nat_traversal=yes, but
that's not the fix as then I get:
003 "cisco" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
with the same failure in the end.
Best,
Whit
More information about the Users
mailing list