[Openswan Users] VPN newbie trying to do site to site with Cisco ASA

Nick Wiltshire nick at customdesigns.ca
Wed Nov 30 12:49:25 EST 2011


On Wednesday 30 November 2011 11:03:27 Paul Wouters wrote:
> On Wed, 30 Nov 2011, Nick Wiltshire wrote:
> > Date: Wed, 30 Nov 2011 10:46:56
> > From: Nick Wiltshire <nick at customdesigns.ca>
> > To: users at openswan.org
> > Subject: [Openswan Users] VPN newbie trying to do site to site with
> > Cisco ASA X-Spam-Flag: NO
> > 
> > I am in need of help as to why this won't work. I am attempting to
> > connect to a Cisco ASA device that is known to be working (others can
> > use it)
> the other end hangs up. It does not like your configuration. You should
> verify you are using the right settings. It's hard to help with that as it
> depends on the other device. Also, mangling IPs can hide potential
> misconfigurations.
> 


Thanks for the reply. I've double checked everything, and the only potential 
issue I can see is the esp method. They say md5 and sha are supported, with 
3des, and sha being preferred.

I've set ike=3des-sha1 and esp=3des-sha1 with no progress.

I just got a note from the person on the other side saying:

"On my side The phase 1 is completed. Then it complains about no matching SA."

After googling that error, I'm more confused than helped. Can someone tell me 
what that might imply?


> Paul
> 
> > This is on a Gentoo machine. The firewall has been disabled for testing.
> > 
> > The addresses involved will be changed to:
> > My machine: 1.1.1.1
> > My internet gateway: 1.1.1.2
> > Remote Cisco device: 2.2.2.2
> > Remote machine I should be able to reach: 3.3.3.3 (with an app listening
> > on 8888 for my connection)
> > 
> > My ipsec.conf:
> > Code:
> > config setup
> > 
> >        # Debug-logging controls: "none" for (almost) none, "all"
> >        for lots. # klipsdebug=none
> >        # plutodebug="control parsing"
> >        # For Red Hat Enterprise Linux and Fedora, leave
> >        protostack=netkey
> >        interfaces=%defaultroute
> >        klipsdebug=none
> >        plutodebug=none
> >        #protostack=netkey
> >        #nat_traversal=yes
> >        #virtual_private=
> >        #oe=off
> >        # Enable this if you see "failed to find any available
> >        worker"
> >        #nhelpers=0
> > 
> > conn cisco # Here is the Name of the VPN connection.
> > 
> >        type= tunnel
> >        authby= secret
> >        # Left security Linux, (Linux side)
> >        left= 1.1.1.1
> >        leftsubnet= 1.1.1.1/32 #Net address assigned to the other
> >        side
> >        leftnexthop= 1.1.1.1.2 #Real IP Gateway
> >        # Right security gateway, (ASA SIDE)
> >        right= 2.2.2.2 # ASA IP
> >        rightsubnet= 3.3.3.0/24 # Net address assigned to the
> >        other side
> >        rightnexthop= 1.1.1.2 #Real IP Gateway
> >        # Type of cryptogrphy used on the VPN Tunnel
> >        esp= 3des-md5-96
> >        keyexchange= ike
> >        pfs= no
> >        auto= start
> > 
> > My secrets file:
> > Code:
> > 1.1.1.1 2.2.2.2: PSK "magic Key"
> > 
> > 
> > Then I run:
> > Code:
> > /etc/init.d/ipsec start
> > 
> > 
> > My first question: should I be getting a new net device when I connect?
> > All I get is a new route:
> > 
> > Code:
> > 3.3.3.0     1.1.1.2. 255.255.255.0   UG    0      0        0 eth0
> > 
> > 
> > When I run the init script I get this in auth.log:
> > 
> > Code:
> > 
> > /etc/init.d/ipsec start
> > * Starting IPSEC ... ...
> > ipsec_setup: Starting Openswan IPsec 2.4.15...
> > Nov 29 08:06:36 testslave ipsec__plutorun: Starting Pluto subsystem...
> > Nov 29 08:06:36 testslave ipsec__plutorun: Unknown default RSA hostkey
> > scheme, not generating a default hostkey
> > Nov 29 08:06:36 testslave pluto[29151]: Starting Pluto (Openswan Version
> > 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}xT`Pu{prE)
> > Nov 29 08:06:36 testslave pluto[29151]: Setting NAT-Traversal port-4500
> > floating to off
> > Nov 29 08:06:36 testslave pluto[29151]:    port floating activation
> > criteria nat_t=0/port_fload=1
> > Nov 29 08:06:36 testslave pluto[29151]:   including NAT-Traversal patch
> > (Version 0.6c) [disabled]
> > Nov 29 08:06:36 testslave pluto[29151]: ike_alg_register_enc():
> > Activating OAKLEY_AES_CBC: Ok (ret=0)
> > Nov 29 08:06:36 testslave pluto[29151]: starting up 3 cryptographic
> > helpers Nov 29 08:06:36 testslave pluto[29151]: started helper
> > pid=29153 (fd:6) Nov 29 08:06:36 testslave pluto[29151]: started helper
> > pid=29154 (fd:7) Nov 29 08:06:36 testslave pluto[29151]: started helper
> > pid=29155 (fd:8) Nov 29 08:06:36 testslave pluto[29151]: Using NETKEY
> > IPsec interface code on 2.6.31.6
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/cacerts'
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/aacerts'
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/ocspcerts'
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/crls'
> > Nov 29 08:06:36 testslave pluto[29151]:   Warning: empty directory
> > Nov 29 08:06:36 testslave pluto[29151]: loading secrets from
> > "/etc/ipsec/ipsec.secrets"
> > Nov 29 08:06:36 testslave pluto[29151]: added connection description
> > "cisco" [ ok ]
> > Nov 29 08:06:36 testslave pluto[29151]: listening for IKE messages
> > Nov 29 08:06:36 testslave pluto[29151]: adding interface eth0/eth0
> > 1.1.1.1:500 Nov 29 08:06:36 testslave pluto[29151]: adding interface
> > lo/lo 127.0.0.1:500 Nov 29 08:06:36 testslave pluto[29151]: adding
> > interface lo/lo ::1:500 Nov 29 08:06:36 testslave pluto[29151]:
> > forgetting secrets
> > Nov 29 08:06:36 testslave pluto[29151]: loading secrets from
> > "/etc/ipsec/ipsec.secrets"
> > Nov 29 08:06:36 testslave pluto[29151]: "cisco" #1: initiating Main Mode
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID
> > payload [FRAGMENTATION c0000000]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from
> > state
> > STATE_MAIN_I1 to state STATE_MAIN_I2
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I2: sent
> > MI2, expecting MR2
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID
> > payload [Cisco-Unity]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID
> > payload [XAUTH]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring unknown
> > Vendor ID payload [d3e6aae7997ac360bc9045ccb5c211db]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID
> > payload [Cisco VPN 3000 Series]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: I did not send a
> > certificate because I do not have one.
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from
> > state
> > STATE_MAIN_I2 to state STATE_MAIN_I3
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I3: sent
> > MI3, expecting MR3
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID
> > payload [Dead Peer Detection]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: Main mode peer ID is
> > ID_IPV4_ADDR: '2.2.2.2'
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from
> > state
> > STATE_MAIN_I3 to state STATE_MAIN_I4
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I4:
> > ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #2: initiating Quick
> > Mode
> > PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received and ignored
> > informational message
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Delete SA
> > payload: deleting ISAKMP State #1
> > Nov 29 08:06:37 testslave pluto[29151]: packet from 2.2.2.2:500:
> > received and ignored informational message
> > 
> > 
> > Then I attempt to telnet:
> > Code:
> > 
> > # telnet 3.3.3.3 8888
> > Trying 3.3.3.3...
> > 
> > 
> > And the log:
> > Code:
> > 
> > Nov 29 08:06:44 testslave pluto[29151]: initiate on demand from
> > 1.1.1.1:0 to 3.3.3.3:0 proto=0 state: fos_start because: acquire
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: initiating Main Mode
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID
> > payload [FRAGMENTATION c0000000]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from
> > state
> > STATE_MAIN_I1 to state STATE_MAIN_I2
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I2: sent
> > MI2, expecting MR2
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID
> > payload [Cisco-Unity]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID
> > payload [XAUTH]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring unknown
> > Vendor ID payload [c5d84faa8d5901d3cc816c033fb9efb1]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID
> > payload [Cisco VPN 3000 Series]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: I did not send a
> > certificate because I do not have one.
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from
> > state
> > STATE_MAIN_I2 to state STATE_MAIN_I3
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I3: sent
> > MI3, expecting MR3
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID
> > payload [Dead Peer Detection]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: Main mode peer ID is
> > ID_IPV4_ADDR: '2.2.2.2'
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from
> > state
> > STATE_MAIN_I3 to state STATE_MAIN_I4
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I4:
> > ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #4: initiating Quick
> > Mode
> > PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received and ignored
> > informational message
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Delete SA
> > payload: deleting ISAKMP State #3
> > Nov 29 08:06:44 testslave pluto[29151]: packet from 2.2.2.2:500:
> > received and ignored informational message
> > 
> > 
> > 
> > So, clearly it is connected (the other side sees my connection too) but
> > I can not get any traffic through (the other side sees no traffic at
> > all)
> > 
> > Can anyone point me in the right direction?
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list