[Openswan Users] VPN newbie trying to do site to site with Cisco ASA

Nick Wiltshire nick at customdesigns.ca
Wed Nov 30 10:46:56 EST 2011 

I am in need of help as to why this won't work. I am attempting to connect to 
a Cisco ASA device that is known to be working (others can use it)

This is on a Gentoo machine. The firewall has been disabled for testing.

The addresses involved will be changed to:
My machine: 1.1.1.1
My internet gateway: 1.1.1.2
Remote Cisco device: 2.2.2.2
Remote machine I should be able to reach: 3.3.3.3 (with an app listening on 
8888 for my connection)

My ipsec.conf:
Code:
config setup
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        #protostack=netkey
        #nat_traversal=yes
        #virtual_private=
        #oe=off
        # Enable this if you see "failed to find any available worker"
        #nhelpers=0

conn cisco # Here is the Name of the VPN connection.
        type= tunnel
        authby= secret
        # Left security Linux, (Linux side)
        left= 1.1.1.1
        leftsubnet= 1.1.1.1/32 #Net address assigned to the other side
        leftnexthop= 1.1.1.1.2 #Real IP Gateway
        # Right security gateway, (ASA SIDE)
        right= 2.2.2.2 # ASA IP
        rightsubnet= 3.3.3.0/24 # Net address assigned to the other side
        rightnexthop= 1.1.1.2 #Real IP Gateway
        # Type of cryptogrphy used on the VPN Tunnel
        esp= 3des-md5-96
        keyexchange= ike
        pfs= no
        auto= start


My secrets file:
Code:
1.1.1.1 2.2.2.2: PSK "magic Key"


Then I run:
Code:
/etc/init.d/ipsec start


My first question: should I be getting a new net device when I connect? All I 
get is a new route:

Code:
3.3.3.0     1.1.1.2. 255.255.255.0   UG    0      0        0 eth0


When I run the init script I get this in auth.log:

Code:

/etc/init.d/ipsec start
 * Starting IPSEC ... ...
ipsec_setup: Starting Openswan IPsec 2.4.15...
Nov 29 08:06:36 testslave ipsec__plutorun: Starting Pluto subsystem...
Nov 29 08:06:36 testslave ipsec__plutorun: Unknown default RSA hostkey scheme, 
not generating a default hostkey
Nov 29 08:06:36 testslave pluto[29151]: Starting Pluto (Openswan Version 
2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}xT`Pu{prE)
Nov 29 08:06:36 testslave pluto[29151]: Setting NAT-Traversal port-4500 
floating to off
Nov 29 08:06:36 testslave pluto[29151]:    port floating activation criteria 
nat_t=0/port_fload=1
Nov 29 08:06:36 testslave pluto[29151]:   including NAT-Traversal patch 
(Version 0.6c) [disabled]
Nov 29 08:06:36 testslave pluto[29151]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Nov 29 08:06:36 testslave pluto[29151]: starting up 3 cryptographic helpers
Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29153 (fd:6)
Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29154 (fd:7)
Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29155 (fd:8)
Nov 29 08:06:36 testslave pluto[29151]: Using NETKEY IPsec interface code on 
2.6.31.6
Nov 29 08:06:36 testslave pluto[29151]: Changing to directory 
'/etc/ipsec/ipsec.d/cacerts'
Nov 29 08:06:36 testslave pluto[29151]: Changing to directory 
'/etc/ipsec/ipsec.d/aacerts'
Nov 29 08:06:36 testslave pluto[29151]: Changing to directory 
'/etc/ipsec/ipsec.d/ocspcerts'
Nov 29 08:06:36 testslave pluto[29151]: Changing to directory 
'/etc/ipsec/ipsec.d/crls'
Nov 29 08:06:36 testslave pluto[29151]:   Warning: empty directory
Nov 29 08:06:36 testslave pluto[29151]: loading secrets from 
"/etc/ipsec/ipsec.secrets"
Nov 29 08:06:36 testslave pluto[29151]: added connection description "cisco"                                                                     
[ ok ]
Nov 29 08:06:36 testslave pluto[29151]: listening for IKE messages
Nov 29 08:06:36 testslave pluto[29151]: adding interface eth0/eth0 1.1.1.1:500
Nov 29 08:06:36 testslave pluto[29151]: adding interface lo/lo 127.0.0.1:500
Nov 29 08:06:36 testslave pluto[29151]: adding interface lo/lo ::1:500
Nov 29 08:06:36 testslave pluto[29151]: forgetting secrets
Nov 29 08:06:36 testslave pluto[29151]: loading secrets from 
"/etc/ipsec/ipsec.secrets"
Nov 29 08:06:36 testslave pluto[29151]: "cisco" #1: initiating Main Mode
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID payload 
[FRAGMENTATION c0000000]
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload 
[Cisco-Unity]
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload 
[XAUTH]
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring unknown Vendor ID 
payload [d3e6aae7997ac360bc9045ccb5c211db]
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID payload 
[Cisco VPN 3000 Series]
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: I did not send a 
certificate because I do not have one.
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload 
[Dead Peer Detection]
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: Main mode peer ID is 
ID_IPV4_ADDR: '2.2.2.2'
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring informational 
payload, type NO_PROPOSAL_CHOSEN
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received and ignored 
informational message
Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Delete SA 
payload: deleting ISAKMP State #1
Nov 29 08:06:37 testslave pluto[29151]: packet from 2.2.2.2:500: received and 
ignored informational message


Then I attempt to telnet:
Code:

# telnet 3.3.3.3 8888
Trying 3.3.3.3...


And the log:
Code:

Nov 29 08:06:44 testslave pluto[29151]: initiate on demand from 1.1.1.1:0 to 
3.3.3.3:0 proto=0 state: fos_start because: acquire
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: initiating Main Mode
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID payload 
[FRAGMENTATION c0000000]
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I2: sent MI2, 
expecting MR2
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload 
[Cisco-Unity]
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload 
[XAUTH]
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring unknown Vendor ID 
payload [c5d84faa8d5901d3cc816c033fb9efb1]
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID payload 
[Cisco VPN 3000 Series]
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: I did not send a 
certificate because I do not have one.
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I3: sent MI3, 
expecting MR3
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload 
[Dead Peer Detection]
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: Main mode peer ID is 
ID_IPV4_ADDR: '2.2.2.2'
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #4: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring informational 
payload, type NO_PROPOSAL_CHOSEN
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received and ignored 
informational message
Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Delete SA 
payload: deleting ISAKMP State #3
Nov 29 08:06:44 testslave pluto[29151]: packet from 2.2.2.2:500: received and 
ignored informational message



So, clearly it is connected (the other side sees my connection too) but I can 
not get any traffic through (the other side sees no traffic at all)

Can anyone point me in the right direction?

More information about the Users mailing list