[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 9 14:25:28 EST 2010


Hey Paul,

On Tue, 2010-03-09 at 13:56 -0500, Paul Wouters wrote: 
> On Tue, 9 Mar 2010, Avesh Agarwal wrote:
> 
> >>>> No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> >>>>
> >>> Exactly what it says that your cisco does not like the proposals
> >>> sent by openswan end. Verify your cisco side settings (encryption
> >>> lago, hash algo and DH groups) with the ones you set with openswan
> >>> and see if there is any mismatch.
> >>>
> >> Thanks Avesh. I'm looking. But I can't see the mismatch yet. The Cisco (I'm
> >> told) is set like this:
> >>
> >> IPsec Phase I: pre-g2-3des-sha-86400s
> >> IPsec Phase II: pfs2-esp-3des-sha-28800s
> >>
> > Is this DH group 2? Also I think "esp" is being obsolete, so dont use
> > that. Well, you can try following:
> >
> > phase2=esp
> > phase2alg=3DES-SHA1;modp1024

> The specs also did not mention whether to use Main Mode or Aggressive Mode.
> If this fails, try adding aggrmode=yes

AFAICT, with those Cisco ASA's that's going to be a given.  Certainly,
that's all vpnc supports and that's the designated client for them.

Recursing back to earlier discussions around this, the whole single
proposal thing seems problematical and a theme in a number of these
calls, once you get into aggressive mode.  We now know that we can, in
fact, generate multiple proposals, provided the DH group is at least
kept constant, since that's what vpnc is doing.  Fixing that would seem
to cover a wealth of sins with these Cisco boxes.  Any hope for that?
I'm looking at some other aggressive mode and config server issues but I
stuck my nose into that particular stretch of code in pluto and it
looked a little on the intimidating side to to just roll my sleeves up
and dig into.

> Paul
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100309/a922ebc5/attachment.bin 


More information about the Users mailing list