[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Whit Blauvelt whit at transpect.com
Tue Mar 9 16:17:04 EST 2010

On Tue, Mar 09, 2010 at 02:57:23PM -0500, Avesh Agarwal wrote:

> Could you please enable plutodebug=all and check "ipsec barf" what
> kind of error it shows. Because that should not happen, and that may
> be just because of some typo somewhere. Also dont forget to disable
> plutodebug once you know the error.

Appreciate your patience. I've had plutodebug=all set, but had forgotten
about the "ipsec barf" command. Unfortunately that puts out so much stuff,
I'm not sure where to look - and imagine it would be abusive to post the
whole output here, plus it's got scores of instances of IP info I'd have to

Meanwhile, I've got on variant on a ipsec.conf file that gets farther along.
This is with simply:


That's in place of esp=3DES-SHA1. (Which should be precisely the same thing,

Result looks better, but it's not fully there yet:

# ipsec auto --up cisco
104 "cisco" #1: STATE_MAIN_I1: initiate
003 "cisco" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "cisco" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
003 "cisco" #1: received Vendor ID payload [XAUTH]
003 "cisco" #1: ignoring unknown Vendor ID payload [a8f33953453506b058872decc58a71b1]
003 "cisco" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
108 "cisco" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
004 "cisco" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "cisco" #2: STATE_QUICK_I1: initiate
004 "cisco" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa50df37c <0xc4054af2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

However, it's failing to create an ipsec0 interface, as freeswan would have
done by that point, IIRC.


More information about the Users mailing list