[Openswan Users] Trying to get Openswan working Ubuntu to Cisco ASA 5510

Avesh Agarwal avagarwa at redhat.com
Wed Mar 10 14:17:44 EST 2010


On 03/09/2010 02:25 PM, Michael H. Warfield wrote:
> Hey Paul,
>
> On Tue, 2010-03-09 at 13:56 -0500, Paul Wouters wrote:
>    
>> On Tue, 9 Mar 2010, Avesh Agarwal wrote:
>>
>>      
>>>>>> No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
>>>>>>
>>>>>>              
>>>>> Exactly what it says that your cisco does not like the proposals
>>>>> sent by openswan end. Verify your cisco side settings (encryption
>>>>> lago, hash algo and DH groups) with the ones you set with openswan
>>>>> and see if there is any mismatch.
>>>>>
>>>>>            
>>>> Thanks Avesh. I'm looking. But I can't see the mismatch yet. The Cisco (I'm
>>>> told) is set like this:
>>>>
>>>> IPsec Phase I: pre-g2-3des-sha-86400s
>>>> IPsec Phase II: pfs2-esp-3des-sha-28800s
>>>>
>>>>          
>>> Is this DH group 2? Also I think "esp" is being obsolete, so dont use
>>> that. Well, you can try following:
>>>
>>> phase2=esp
>>> phase2alg=3DES-SHA1;modp1024
>>>        
>    
>> The specs also did not mention whether to use Main Mode or Aggressive Mode.
>> If this fails, try adding aggrmode=yes
>>      
> AFAICT, with those Cisco ASA's that's going to be a given.  Certainly,
> that's all vpnc supports and that's the designated client for them.
>
> Recursing back to earlier discussions around this, the whole single
> proposal thing seems problematical and a theme in a number of these
> calls, once you get into aggressive mode.  We now know that we can, in
> fact, generate multiple proposals, provided the DH group is at least
> kept constant, since that's what vpnc is doing.  Fixing that would seem
> to cover a wealth of sins with these Cisco boxes.  Any hope for that?
>    
Mostly I have noticed that "encryption-hash" algo proposal is not the 
problem when communicating with Cisco boxes, because in general, 
administrators configure more than one "encryption-hash" proposals to 
choose from. So mostly the mismatch is DH group in phase 2 (quick mode) 
that can not be negotiated as per the RFC, and a client must configure 
exactly what the server wants.

Sometime this may not be a problem, when the server is initiating the 
phase2 so that client knows which DH group the server is expecting (it 
seems like something how vpnc does). However, in Openswan, if client 
initiates first phase, most probably the client initiates the phase 2 
too, and then Openswan client has to make a choice (or guess based on 
first phase DH group) what server might expect. If somehow, the server 
has configured "different"  DH groups for phase 1 and phase 2, mostly 
you will get "NO_PROPOSAL_CHOSEN" message.

One way to deal with this may be to "retry" with different DH group if 
the first one fails, or to wait little bit so that server can initiate 
the phase 2.

In summary, I feel that this is not an Openswan issue, but the way 
standard works.

My 2 cents.

Avesh
> I'm looking at some other aggressive mode and config server issues but I
> stuck my nose into that particular stretch of code in pluto and it
> looked a little on the intimidating side to to just roll my sleeves up
> and dig into.
>
>    
>> Paul
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>      
>    
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100310/f45f2e1b/attachment.html 


More information about the Users mailing list