[Openswan Users] Cisco ASA incompatibility

Daren Hickman DarenHickman at ruggedcom.com
Thu Sep 2 13:54:14 EDT 2010 

I have an Openswan connection running Openswan U2.4.13/K2.6.26-2-gx1 (netkey) to a Cisco ASA 5500 running version 8.3(2).  When the cisco initiates the connection everything works fine, when the opswan initiates the connection the cisco complains there are no acceptable phase 2 proposals and the tunnel won't come up.  I believe this is a bug in the Cisco software.  I have two questions has anyone seen this before? And is there a work around for this problem?  See the openswan and cisco log entries below?

Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: received Vendor ID payload [Cisco-Unity]
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: received Vendor ID payload [XAUTH]
Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: ignoring unknown Vendor ID payload [dcd8bedf46899e9ca08351dc49a8db59]
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: I did not send a certificate because I do not have one.
Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 31 11:29:46 cju01u03router pluto[32128]: #3257: received Vendor ID payload [Dead Peer Detection]
Aug 31 11:29:46 cju01u03router pluto[32128]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: Main mode peer ID is ID_IPV4_ADDR: '192.168.77.62'
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_md5 group=modp1024}
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3258: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#3257}
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: received and ignored informational message
Aug 31 11:29:46 cju01u03router pluto[32128]:  #3257: received Delete SA payload: deleting ISAKMP State #3257
Aug 31 11:29:46 cju01u03router pluto[32128]: packet from xxx.xxx.xxx.xxx<http://192.168.77.62:500>: received and ignored informational message
Aug 31 11:29:57 cju01u03router pluto[32128]:  #3256: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

The error messages from the cisco side are below

30 2010 09:24:13: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Aug 30 2010 09:24:13: %ASA-5-713257: Phase 1 failure:  Mismatched attribute types for class Group Description:  Rcv'd: Group 5  Cfg'd: Group 2
Aug 30 2010 09:24:13: %ASA-5-713904: IP = 192.168.77.1, Received encrypted packet with no matching SA, dropping
Aug 30 2010 09:24:13: %ASA-6-713172: Group = 192.168.77.1, IP = 192.168.77.1, Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device
Aug 30 2010 09:24:13: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 192.168.77.1
Aug 30 2010 09:24:13: %ASA-5-713119: Group = 192.168.1.1, IP = 192.168.1.1, PHASE 1 COMPLETED
Aug 30 2010 09:24:13: %ASA-5-713904: Group = 192.168.1.1, IP = 192.168.1.1, All IPSec SA proposals found unacceptable!
Aug 30 2010 09:24:13: %ASA-3-713902: Group = 192.168.1.1, IP = 192.168.1.1, QM FSM error (P2 struct &0x73b08de0, mess id 0xe7a6660d)!
Aug 30 2010 09:24:13: %ASA-3-713902: Group = 192.168.1.1, IP = 192.168.1.1, Removing peer from correlator table failed, no match!
Aug 30 2010 09:24:13: %ASA-5-713259: Group = 192.168.1.1, IP = 192.168.1.1, Session is being torn down. Reason: Phase 2 Mismatch
Aug 30 2010 09:24:13: %ASA-4-113019: Group = 192.168.1.1, Username = 192.168.1.1, IP = 192.168.1.1, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Phase 2 Mismatch
Aug 30 2010 09:24:13: %ASA-5-713904: IP = 192.168.77.1, Received encrypted packet with no matching SA, dropping
Aug 30 2010 09:24:23: %ASA-5-713904: IP = 192.168.77.1, Received encrypted packet with no matching SA, dropping



Daren Hickman

Field Applications Engineer

Ruggedcom

mobile 954-805-4948

desk  954-922-7975 x101



**************************
NOTICE OF CONFIDENTIALITY:
This e-mail and any attachments may contain confidential and privileged information. If you are not the intended recipient, please notify the sender immediately by return e-mail and delete this e-mail and any copies. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal.
**************************

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100902/24eb7647/attachment.html

More information about the Users mailing list