[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

[Whit Blauvelt]

On Tue, Mar 09, 2010 at 02:57:23PM -0500, Avesh Agarwal wrote:

> Could you please enable plutodebug=all and check "ipsec barf" what
> kind of error it shows. Because that should not happen, and that may
> be just because of some typo somewhere. Also dont forget to disable
> plutodebug once you know the error.

Appreciate your patience. I've had plutodebug=all set, but had forgotten
about the "ipsec barf" command. Unfortunately that puts out so much stuff,
I'm not sure where to look - and imagine it would be abusive to post the
whole output here, plus it's got scores of instances of IP info I'd have to
obfuscate.

Meanwhile, I've got on variant on a ipsec.conf file that gets farther along.
This is with simply:

     phase2=esp
     phase2alg=3DES-SHA1

That's in place of esp=3DES-SHA1. (Which should be precisely the same thing,
right?)

Result looks better, but it's not fully there yet:

# ipsec auto --up cisco
104 "cisco" #1: STATE_MAIN_I1: initiate
003 "cisco" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "cisco" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
003 "cisco" #1: received Vendor ID payload [XAUTH]
003 "cisco" #1: ignoring unknown Vendor ID payload [a8f33953453506b058872decc58a71b1]
003 "cisco" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
108 "cisco" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
004 "cisco" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "cisco" #2: STATE_QUICK_I1: initiate
004 "cisco" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa50df37c <0xc4054af2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

However, it's failing to create an ipsec0 interface, as freeswan would have
done by that point, IIRC.

Regards,
Whit