[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Avesh Agarwal avagarwa at redhat.com
Tue Mar 9 14:34:19 EST 2010


On 03/09/2010 02:18 PM, Whit Blauvelt wrote:
> On Tue, Mar 09, 2010 at 01:56:02PM -0500, Paul Wouters wrote:
>
>    
>> The specs also did not mention whether to use Main Mode or Aggressive Mode.
>> If this fails, try adding aggrmode=yes
>>      
> Thanks Paul. If that's the fix, it has implications I need to handle, since
> simply adding it to the conn section produces first:
>
> # ipsec auto --up cisco
> 024 need --listen before --initiate
>
> and then on second invocation:
>
> # ipsec auto --up cisco
> 003 "cisco" #1: multiple transforms were set in aggressive mode. Only first one used.
> 003 "cisco" #1: transform (5,2,2,0) ignored.
> 003 "cisco" #1: multiple transforms were set in aggressive mode. Only first one used.
> 003 "cisco" #1: transform (5,2,2,0) ignored.
> 112 "cisco" #1: STATE_AGGR_I1: initiate
> 003 "cisco" #1: Informational Exchange message must be encrypted
> 010 "cisco" #1: STATE_AGGR_I1: retransmission; will wait 20s for response
> 003 "cisco" #1: Informational Exchange message must be encrypted
>
>    
Hello Whit,

Your earlier message suggested that your Cisco end is using "main mode" 
because your first phase was established right. I believe that your main 
issue is that DH group is not set correctly for phase2.

So either you can change "esp=3DES-SHA1"  to "esp=3DES-SHA1;modp1024"

or you can remove this  "esp=3DES-SHA1", and add following:
phase2=esp
phase2alg=3des-sha1-modp1024

Thanks and Regards
Avesh
> Best,
> Whit
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>    



More information about the Users mailing list