[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Avesh Agarwal avagarwa at redhat.com
Tue Mar 9 16:20:31 EST 2010


On 03/09/2010 04:17 PM, Whit Blauvelt wrote:
> On Tue, Mar 09, 2010 at 02:57:23PM -0500, Avesh Agarwal wrote:
>
>    
>> Could you please enable plutodebug=all and check "ipsec barf" what
>> kind of error it shows. Because that should not happen, and that may
>> be just because of some typo somewhere. Also dont forget to disable
>> plutodebug once you know the error.
>>      
> Appreciate your patience. I've had plutodebug=all set, but had forgotten
> about the "ipsec barf" command. Unfortunately that puts out so much stuff,
> I'm not sure where to look - and imagine it would be abusive to post the
> whole output here, plus it's got scores of instances of IP info I'd have to
> obfuscate.
>
> Meanwhile, I've got on variant on a ipsec.conf file that gets farther along.
> This is with simply:
>
>       phase2=esp
>       phase2alg=3DES-SHA1
>
> That's in place of esp=3DES-SHA1. (Which should be precisely the same thing,
> right?)
>
> Result looks better, but it's not fully there yet:
>
> # ipsec auto --up cisco
> 104 "cisco" #1: STATE_MAIN_I1: initiate
> 003 "cisco" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 106 "cisco" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "cisco" #1: received Vendor ID payload [Cisco-Unity]
> 003 "cisco" #1: received Vendor ID payload [XAUTH]
> 003 "cisco" #1: ignoring unknown Vendor ID payload [a8f33953453506b058872decc58a71b1]
> 003 "cisco" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 108 "cisco" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "cisco" #1: received Vendor ID payload [Dead Peer Detection]
> 004 "cisco" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 117 "cisco" #2: STATE_QUICK_I1: initiate
> 004 "cisco" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa50df37c<0xc4054af2 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
>
>    
It seems OK.

> However, it's failing to create an ipsec0 interface, as freeswan would have
> done by that point, IIRC.
>    

With netkey, there wont be ipsec0. You will have to use KLIPS for that.

Regards
Avesh
> Regards,
> Whit
>    



More information about the Users mailing list