[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Avesh Agarwal avagarwa at redhat.com
Tue Mar 9 14:09:59 EST 2010


On 03/09/2010 02:03 PM, Whit Blauvelt wrote:
>>> IPsec Phase I: pre-g2-3des-sha-86400s
>>> IPsec Phase II: pfs2-esp-3des-sha-28800s
>>>
>>>        
>> Is this DH group 2? Also I think "esp" is being obsolete, so dont use
>> that. Well, you can try following:
>>
>> phase2=esp
>> phase2alg=3DES-SHA1;modp1024
>>      
> Thanks again. Whether that's DH group2 ... probably, but it's getting
> through phase I, so could that be the problem?
>
> Are you suggesting I have the Cisco admin not use esp?
>
> After adding the two lines you suggest I get:
>
> ipsec_setup: duplicate key 'phase2' in conn cisco while processing def cisco
> ipsec_setup: duplicate key 'phase2alg' in conn cisco while processing def cisco
> ipsec_setup: while loading 'cisco': duplicate key 'phase2alg' in conn cisco while processing def cisco
>
> What these are duplicating is not clear, since there is only one
> specification of either "phase2" and "phase2alg" in the ipsec.con.
>
> At that point
>
> # ipsec auto --up cisco
> 000 initiating all conns with alias='cisco'
> 021 no connection named "cisco"
>
>    
I believe that you have not removed  "esp". Please remove "esp" and try 
again.

Regards
Avesh
> So whatever the "duplicate key" message means, it's a fatal problem.
>
> Best,
> Whit
>    



More information about the Users mailing list