[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510
Avesh Agarwal
avagarwa at redhat.com
Tue Mar 9 13:48:44 EST 2010
On 03/09/2010 01:43 PM, Whit Blauvelt wrote:
> On Tue, Mar 09, 2010 at 01:20:56PM -0500, Avesh Agarwal wrote:
>
>
>>> No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
>>>
>> Exactly what it says that your cisco does not like the proposals
>> sent by openswan end. Verify your cisco side settings (encryption
>> lago, hash algo and DH groups) with the ones you set with openswan
>> and see if there is any mismatch.
>>
> Thanks Avesh. I'm looking. But I can't see the mismatch yet. The Cisco (I'm
> told) is set like this:
>
> IPsec Phase I: pre-g2-3des-sha-86400s
> IPsec Phase II: pfs2-esp-3des-sha-28800s
>
Is this DH group 2? Also I think "esp" is being obsolete, so dont use
that. Well, you can try following:
phase2=esp
phase2alg=3DES-SHA1;modp1024
Regards
Avesh
> And my ipsec.conf looks like this:
>
> version 2.0
>
> config setup
> klipsdebug="none"
> plutodebug="all"
> uniqueids=yes
> protostack=netkey
>
> conn cisco
> type=tunnel
> left=xx.xx.xx.114 # my IP
> leftsubnet=192.168.1.0/24
> leftnexthop=xx.xx.xx.97
> leftid=@<fqdn>
> right=yy.yy.yy.222 # IP address of Cisco ASA 5510
> rightsubnet=zz.zz.zz.192/26 # LAN behind Cisco
> rightid=yy.yy.yy.222
> keyingtries=0
> pfs=yes
> auto=add
> auth=esp
> esp=3DES-SHA1
> ike=3DES-SHA1
> authby=secret
>
> The only thing that jumps at me is the possibility that "pfs2" at the Cisco
> is not compatible with "pfs" at my end. Would that be the case? I see no
> mention of pfs2 in the docs in the tar. But from a note elsewhere -
> http://tristesse.org/OpenswanAnnoyances - it looks like Cisco's "pfs2" and
> Openswan's "pfs" should be the same thing, right?
>
> Another note in that same page suggests I may need nat_traversal=yes, but
> that's not the fix as then I get:
>
> 003 "cisco" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
>
> with the same failure in the end.
>
> Best,
> Whit
>
More information about the Users
mailing list