[Openswan Users] Cisco ASA incompatibility
Paul Wouters
paul at xelerance.com
Thu Sep 2 17:47:59 EDT 2010
On Thu, 2 Sep 2010, Daren Hickman wrote:
> I have an Openswan connection running Openswan U2.4.13/K2.6.26-2-gx1 (netkey) to a Cisco ASA 5500 running version 8.3(2). When the cisco initiates
> the connection everything works fine, when the opswan initiates the connection the cisco complains there are no acceptable phase 2 proposals and the
> tunnel won’t come up. I believe this is a bug in the Cisco software. I have two questions has anyone seen this before? And is there a work around
> for this problem? See the openswan and cisco log entries below?
So check what parameters the cisco is giving openswan. openswan has a list of them it
allows. Then make sure using esp= and ike= settings that those are the only ones
that openswan sends as initiator.
> 30 2010 09:24:13: %ASA-5-713257: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
Looks like you have a wrong pfgroup. Either configure the cisco to allow group 5 instead of group 2
or use an esp/ike line with modp1024 (for group 2)
Paul
More information about the Users
mailing list