[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Avesh Agarwal avagarwa at redhat.com
Tue Mar 9 13:48:44 EST 2010


On 03/09/2010 01:43 PM, Whit Blauvelt wrote:
> On Tue, Mar 09, 2010 at 01:20:56PM -0500, Avesh Agarwal wrote:
>
>    
>>> No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
>>>        
>> Exactly what it says that your cisco does not like the proposals
>> sent by openswan end. Verify your cisco side settings (encryption
>> lago, hash algo and DH groups) with the ones you set with openswan
>> and see if there is any mismatch.
>>      
> Thanks Avesh. I'm looking. But I can't see the mismatch yet. The Cisco (I'm
> told) is set like this:
>
> IPsec Phase I: pre-g2-3des-sha-86400s
> IPsec Phase II: pfs2-esp-3des-sha-28800s
>    
Is this DH group 2? Also I think "esp" is being obsolete, so dont use 
that. Well, you can try following:

phase2=esp
phase2alg=3DES-SHA1;modp1024

Regards
Avesh
> And my ipsec.conf looks like this:
>
> version 2.0
>
> config setup
>       klipsdebug="none"
>       plutodebug="all"
>       uniqueids=yes
>       protostack=netkey
>
> conn cisco
>       type=tunnel
>       left=xx.xx.xx.114 # my IP
>       leftsubnet=192.168.1.0/24
>       leftnexthop=xx.xx.xx.97
>       leftid=@<fqdn>
>       right=yy.yy.yy.222 # IP address of Cisco ASA 5510
>       rightsubnet=zz.zz.zz.192/26  # LAN behind Cisco
>       rightid=yy.yy.yy.222
>       keyingtries=0
>       pfs=yes
>       auto=add
>       auth=esp
>       esp=3DES-SHA1
>       ike=3DES-SHA1
>       authby=secret
>
> The only thing that jumps at me is the possibility that "pfs2" at the Cisco
> is not compatible with "pfs" at my end. Would that be the case? I see no
> mention of pfs2 in the docs in the tar. But from a note elsewhere -
> http://tristesse.org/OpenswanAnnoyances - it looks like Cisco's "pfs2" and
> Openswan's "pfs" should be the same thing, right?
>
> Another note in that same page suggests I may need nat_traversal=yes, but
> that's not the fix as then I get:
>
> 003 "cisco" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>
> with the same failure in the end.
>
> Best,
> Whit
>    



More information about the Users mailing list