[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510
Whit Blauvelt
whit at transpect.com
Tue Mar 9 14:39:45 EST 2010
Craig,
Thanks. Hadn't looked at "man ipsec.conf". Unfortunately, when I get rid of
the esp= and replace it with phase2= and phase2alg= lines as suggested, I
end up with:
# ipsec auto --up cisco
000 initiating all conns with alias='cisco'
021 no connection named "cisco"
This is bizarre, since the ipsec.conf file is so little changed - just those
few lines. It now looks like:
version 2.0
# basic configuration
config setup
klipsdebug="none"
plutodebug="all"
uniqueids=yes
protostack=netkey
conn cisco
type=tunnel
left=xx.xx.xx.114 #your IP
leftsubnet=192.168.1.0/24
leftnexthop=xx.xx.xx.97
leftid=@<fqdn>
right=yy.yy.yy.222 # IP address of Cisco ASA 5510
rightsubnet=zz.zz.zz.192/26 # LAN behind Cisco
rightid=yy.yy.yy.222
keyingtries=0
pfs=yes
auto=add
phase2=esp
phase2alg=3DES-SHA1-modp1024
ike=3DES-SHA1
authby=secret
I am on 64bit Ubuntu as you are (although 8.04).
Regards,
Whit
On Tue, Mar 09, 2010 at 01:57:34PM -0500, Craig Constantine wrote:
> >Is this DH group 2? Also I think "esp" is being obsolete, so dont
> >use that. Well, you can try following:
> >
> >phase2=esp phase2alg=3DES-SHA1;modp1024
>
> Whit,
>
> Avesh and I are saying the same thing about specifying the modpNBITS.
>
> I'm using Ubuntu 9.10 server 64bit. I could only make the config
> work with "A-B-C" (as in my previous message). The man pages say
> "A-B;C" as Avesh has shown. But mine does not work with the
> semicolon, I get an error about parsing of the config file failing
> when I try to start ipsec.
>
> Also, Avesh makes a good point about the esp deprecation... All my
> configs use "ike=..." and "phase2alg=..." and I here I recall the
> man page being correct about which config keys are aliases to which
> others, and which are deprecated.
>
> -craig
More information about the Users
mailing list