[Openswan Users] VPN newbie trying to do site to site with Cisco ASA

Paul Wouters paul at xelerance.com
Wed Nov 30 11:03:27 EST 2011 

On Wed, 30 Nov 2011, Nick Wiltshire wrote:

> Date: Wed, 30 Nov 2011 10:46:56
> From: Nick Wiltshire <nick at customdesigns.ca>
> To: users at openswan.org
> Subject: [Openswan Users] VPN newbie trying to do site to site with Cisco ASA
> X-Spam-Flag: NO
> 
> I am in need of help as to why this won't work. I am attempting to connect to
> a Cisco ASA device that is known to be working (others can use it)

the other end hangs up. It does not like your configuration. You should verify you
are using the right settings. It's hard to help with that as it depends on the
other device. Also, mangling IPs can hide potential misconfigurations.

Paul

> This is on a Gentoo machine. The firewall has been disabled for testing.
>
> The addresses involved will be changed to:
> My machine: 1.1.1.1
> My internet gateway: 1.1.1.2
> Remote Cisco device: 2.2.2.2
> Remote machine I should be able to reach: 3.3.3.3 (with an app listening on
> 8888 for my connection)
>
> My ipsec.conf:
> Code:
> config setup
>        # Debug-logging controls: "none" for (almost) none, "all" for lots.
>        # klipsdebug=none
>        # plutodebug="control parsing"
>        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>        interfaces=%defaultroute
>        klipsdebug=none
>        plutodebug=none
>        #protostack=netkey
>        #nat_traversal=yes
>        #virtual_private=
>        #oe=off
>        # Enable this if you see "failed to find any available worker"
>        #nhelpers=0
>
> conn cisco # Here is the Name of the VPN connection.
>        type= tunnel
>        authby= secret
>        # Left security Linux, (Linux side)
>        left= 1.1.1.1
>        leftsubnet= 1.1.1.1/32 #Net address assigned to the other side
>        leftnexthop= 1.1.1.1.2 #Real IP Gateway
>        # Right security gateway, (ASA SIDE)
>        right= 2.2.2.2 # ASA IP
>        rightsubnet= 3.3.3.0/24 # Net address assigned to the other side
>        rightnexthop= 1.1.1.2 #Real IP Gateway
>        # Type of cryptogrphy used on the VPN Tunnel
>        esp= 3des-md5-96
>        keyexchange= ike
>        pfs= no
>        auto= start
>
>
> My secrets file:
> Code:
> 1.1.1.1 2.2.2.2: PSK "magic Key"
>
>
> Then I run:
> Code:
> /etc/init.d/ipsec start
>
>
> My first question: should I be getting a new net device when I connect? All I
> get is a new route:
>
> Code:
> 3.3.3.0     1.1.1.2. 255.255.255.0   UG    0      0        0 eth0
>
>
> When I run the init script I get this in auth.log:
>
> Code:
>
> /etc/init.d/ipsec start
> * Starting IPSEC ... ...
> ipsec_setup: Starting Openswan IPsec 2.4.15...
> Nov 29 08:06:36 testslave ipsec__plutorun: Starting Pluto subsystem...
> Nov 29 08:06:36 testslave ipsec__plutorun: Unknown default RSA hostkey scheme,
> not generating a default hostkey
> Nov 29 08:06:36 testslave pluto[29151]: Starting Pluto (Openswan Version
> 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}xT`Pu{prE)
> Nov 29 08:06:36 testslave pluto[29151]: Setting NAT-Traversal port-4500
> floating to off
> Nov 29 08:06:36 testslave pluto[29151]:    port floating activation criteria
> nat_t=0/port_fload=1
> Nov 29 08:06:36 testslave pluto[29151]:   including NAT-Traversal patch
> (Version 0.6c) [disabled]
> Nov 29 08:06:36 testslave pluto[29151]: ike_alg_register_enc(): Activating
> OAKLEY_AES_CBC: Ok (ret=0)
> Nov 29 08:06:36 testslave pluto[29151]: starting up 3 cryptographic helpers
> Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29153 (fd:6)
> Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29154 (fd:7)
> Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29155 (fd:8)
> Nov 29 08:06:36 testslave pluto[29151]: Using NETKEY IPsec interface code on
> 2.6.31.6
> Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> '/etc/ipsec/ipsec.d/cacerts'
> Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> '/etc/ipsec/ipsec.d/aacerts'
> Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> '/etc/ipsec/ipsec.d/ocspcerts'
> Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> '/etc/ipsec/ipsec.d/crls'
> Nov 29 08:06:36 testslave pluto[29151]:   Warning: empty directory
> Nov 29 08:06:36 testslave pluto[29151]: loading secrets from
> "/etc/ipsec/ipsec.secrets"
> Nov 29 08:06:36 testslave pluto[29151]: added connection description "cisco"
> [ ok ]
> Nov 29 08:06:36 testslave pluto[29151]: listening for IKE messages
> Nov 29 08:06:36 testslave pluto[29151]: adding interface eth0/eth0 1.1.1.1:500
> Nov 29 08:06:36 testslave pluto[29151]: adding interface lo/lo 127.0.0.1:500
> Nov 29 08:06:36 testslave pluto[29151]: adding interface lo/lo ::1:500
> Nov 29 08:06:36 testslave pluto[29151]: forgetting secrets
> Nov 29 08:06:36 testslave pluto[29151]: loading secrets from
> "/etc/ipsec/ipsec.secrets"
> Nov 29 08:06:36 testslave pluto[29151]: "cisco" #1: initiating Main Mode
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID payload
> [FRAGMENTATION c0000000]
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload
> [Cisco-Unity]
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload
> [XAUTH]
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring unknown Vendor ID
> payload [d3e6aae7997ac360bc9045ccb5c211db]
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID payload
> [Cisco VPN 3000 Series]
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: I did not send a
> certificate because I do not have one.
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload
> [Dead Peer Detection]
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: Main mode peer ID is
> ID_IPV4_ADDR: '2.2.2.2'
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1024}
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received and ignored
> informational message
> Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Delete SA
> payload: deleting ISAKMP State #1
> Nov 29 08:06:37 testslave pluto[29151]: packet from 2.2.2.2:500: received and
> ignored informational message
>
>
> Then I attempt to telnet:
> Code:
>
> # telnet 3.3.3.3 8888
> Trying 3.3.3.3...
>
>
> And the log:
> Code:
>
> Nov 29 08:06:44 testslave pluto[29151]: initiate on demand from 1.1.1.1:0 to
> 3.3.3.3:0 proto=0 state: fos_start because: acquire
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: initiating Main Mode
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID payload
> [FRAGMENTATION c0000000]
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state
> STATE_MAIN_I1 to state STATE_MAIN_I2
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I2: sent MI2,
> expecting MR2
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload
> [Cisco-Unity]
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload
> [XAUTH]
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring unknown Vendor ID
> payload [c5d84faa8d5901d3cc816c033fb9efb1]
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID payload
> [Cisco VPN 3000 Series]
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: I did not send a
> certificate because I do not have one.
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state
> STATE_MAIN_I2 to state STATE_MAIN_I3
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I3: sent MI3,
> expecting MR3
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload
> [Dead Peer Detection]
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: Main mode peer ID is
> ID_IPV4_ADDR: '2.2.2.2'
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state
> STATE_MAIN_I3 to state STATE_MAIN_I4
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I4: ISAKMP SA
> established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
> prf=oakley_md5 group=modp1024}
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #4: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received and ignored
> informational message
> Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Delete SA
> payload: deleting ISAKMP State #3
> Nov 29 08:06:44 testslave pluto[29151]: packet from 2.2.2.2:500: received and
> ignored informational message
>
>
>
> So, clearly it is connected (the other side sees my connection too) but I can
> not get any traffic through (the other side sees no traffic at all)
>
> Can anyone point me in the right direction?
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

More information about the Users mailing list