[Openswan Users] VPN newbie trying to do site to site with Cisco ASA

Nick Wiltshire nick at customdesigns.ca
Wed Nov 30 17:16:08 EST 2011


On Wednesday 30 November 2011 11:03:27 you wrote:
> On Wed, 30 Nov 2011, Nick Wiltshire wrote:
> > Date: Wed, 30 Nov 2011 10:46:56
> > From: Nick Wiltshire <nick at customdesigns.ca>
> > To: users at openswan.org
> > Subject: [Openswan Users] VPN newbie trying to do site to site with
> > Cisco ASA X-Spam-Flag: NO
> > 
> > I am in need of help as to why this won't work. I am attempting to
> > connect to a Cisco ASA device that is known to be working (others can
> > use it)
> the other end hangs up. It does not like your configuration. You should
> verify you are using the right settings. It's hard to help with that as it
> depends on the other device. Also, mangling IPs can hide potential
> misconfigurations.
> 

I also forgot - here is the config without obscured ip addresses. This is 
driving me nuts!

My public ip - 216.171.233.27
My gateway - 216.171.233.25

Config info from the other side:

VPN Gateway Device: 
Cisco ASA 
VPN Peer Gateway IP Address
(Internet  IP address of the gateway)
142.201.17.5
VPN interesting traffic IP addresses 
142.201.3.0/24
Internet Key Exchange Encryption  (IKE) Method:
3DES
Data Integrity Method:
(Supported methods: SHA, MD5)
SHA
Authentication Method:
Pre-shared secret 
Diffie-Hellman (DH) group:
Group 2 (1024 bit)
IKE SA lifetime:
86400 seconds (1 day)
IPSec SA lifetime:
3600 seconds (1 hour)
Data Exchange Encryption Algorithm:
ESP-3DES
Data Integrity:
ESP-MD5-HMAC
PFS (Perfect Forward Secrecy):
YES


...and my current config:


# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # Debug-logging controls: "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        interfaces=%defaultroute
        klipsdebug=all
        plutodebug=none
        #protostack=netkey
        #nat_traversal=yes
        #virtual_private=
        #oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0

conn cisco # Here is the Name of the VPN connection.
        type=tunnel
        authby=secret
        # Left security Linux, (Linux side)
        left=216.171.233.27
        leftsubnet=142.201.3.0/24 #Net address assigned to the other side
        leftnexthop=216.171.233.25 #Real IP Gateway
        # Right security gateway, (ASA SIDE)
        right=142.201.17.5 # ASA IP
        rightsubnet=142.201.3.0/24 # Net address assigned to the other side
        rightnexthop=216.171.233.25 #Real IP Gateway
        # Type of cryptogrphy used on the VPN Tunnel
        ike=3des-sha1-modp1024
        esp=3des-md5
        keyexchange=ike
        pfs=yes
        auto=start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and 
uncomment this.
include /etc/ipsec.d/examples/no_oe.conf

The end result:
# ping 142.201.3.12
PING 142.201.3.12 (142.201.3.12) 56(84) bytes of data.

...nothing.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
216-171-233-24. *               255.255.255.248 U     0      0        0 eth0
142.201.3.0     216-171-233-25. 255.255.255.0   UG    0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
default         216-171-233-25. 0.0.0.0         UG    0      0        0 eth0



> Paul
> 
> > This is on a Gentoo machine. The firewall has been disabled for testing.
> > 
> > The addresses involved will be changed to:
> > My machine: 1.1.1.1
> > My internet gateway: 1.1.1.2
> > Remote Cisco device: 2.2.2.2
> > Remote machine I should be able to reach: 3.3.3.3 (with an app listening
> > on 8888 for my connection)
> > 
> > My ipsec.conf:
> > Code:
> > config setup
> > 
> >        # Debug-logging controls: "none" for (almost) none, "all"
> >        for lots. # klipsdebug=none
> >        # plutodebug="control parsing"
> >        # For Red Hat Enterprise Linux and Fedora, leave
> >        protostack=netkey
> >        interfaces=%defaultroute
> >        klipsdebug=none
> >        plutodebug=none
> >        #protostack=netkey
> >        #nat_traversal=yes
> >        #virtual_private=
> >        #oe=off
> >        # Enable this if you see "failed to find any available
> >        worker"
> >        #nhelpers=0
> > 
> > conn cisco # Here is the Name of the VPN connection.
> > 
> >        type= tunnel
> >        authby= secret
> >        # Left security Linux, (Linux side)
> >        left= 1.1.1.1
> >        leftsubnet= 1.1.1.1/32 #Net address assigned to the other
> >        side
> >        leftnexthop= 1.1.1.1.2 #Real IP Gateway
> >        # Right security gateway, (ASA SIDE)
> >        right= 2.2.2.2 # ASA IP
> >        rightsubnet= 3.3.3.0/24 # Net address assigned to the
> >        other side
> >        rightnexthop= 1.1.1.2 #Real IP Gateway
> >        # Type of cryptogrphy used on the VPN Tunnel
> >        esp= 3des-md5-96
> >        keyexchange= ike
> >        pfs= no
> >        auto= start
> > 
> > My secrets file:
> > Code:
> > 1.1.1.1 2.2.2.2: PSK "magic Key"
> > 
> > 
> > Then I run:
> > Code:
> > /etc/init.d/ipsec start
> > 
> > 
> > My first question: should I be getting a new net device when I connect?
> > All I get is a new route:
> > 
> > Code:
> > 3.3.3.0     1.1.1.2. 255.255.255.0   UG    0      0        0 eth0
> > 
> > 
> > When I run the init script I get this in auth.log:
> > 
> > Code:
> > 
> > /etc/init.d/ipsec start
> > * Starting IPSEC ... ...
> > ipsec_setup: Starting Openswan IPsec 2.4.15...
> > Nov 29 08:06:36 testslave ipsec__plutorun: Starting Pluto subsystem...
> > Nov 29 08:06:36 testslave ipsec__plutorun: Unknown default RSA hostkey
> > scheme, not generating a default hostkey
> > Nov 29 08:06:36 testslave pluto[29151]: Starting Pluto (Openswan Version
> > 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}xT`Pu{prE)
> > Nov 29 08:06:36 testslave pluto[29151]: Setting NAT-Traversal port-4500
> > floating to off
> > Nov 29 08:06:36 testslave pluto[29151]:    port floating activation
> > criteria nat_t=0/port_fload=1
> > Nov 29 08:06:36 testslave pluto[29151]:   including NAT-Traversal patch
> > (Version 0.6c) [disabled]
> > Nov 29 08:06:36 testslave pluto[29151]: ike_alg_register_enc():
> > Activating OAKLEY_AES_CBC: Ok (ret=0)
> > Nov 29 08:06:36 testslave pluto[29151]: starting up 3 cryptographic
> > helpers Nov 29 08:06:36 testslave pluto[29151]: started helper
> > pid=29153 (fd:6) Nov 29 08:06:36 testslave pluto[29151]: started helper
> > pid=29154 (fd:7) Nov 29 08:06:36 testslave pluto[29151]: started helper
> > pid=29155 (fd:8) Nov 29 08:06:36 testslave pluto[29151]: Using NETKEY
> > IPsec interface code on 2.6.31.6
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/cacerts'
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/aacerts'
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/ocspcerts'
> > Nov 29 08:06:36 testslave pluto[29151]: Changing to directory
> > '/etc/ipsec/ipsec.d/crls'
> > Nov 29 08:06:36 testslave pluto[29151]:   Warning: empty directory
> > Nov 29 08:06:36 testslave pluto[29151]: loading secrets from
> > "/etc/ipsec/ipsec.secrets"
> > Nov 29 08:06:36 testslave pluto[29151]: added connection description
> > "cisco" [ ok ]
> > Nov 29 08:06:36 testslave pluto[29151]: listening for IKE messages
> > Nov 29 08:06:36 testslave pluto[29151]: adding interface eth0/eth0
> > 1.1.1.1:500 Nov 29 08:06:36 testslave pluto[29151]: adding interface
> > lo/lo 127.0.0.1:500 Nov 29 08:06:36 testslave pluto[29151]: adding
> > interface lo/lo ::1:500 Nov 29 08:06:36 testslave pluto[29151]:
> > forgetting secrets
> > Nov 29 08:06:36 testslave pluto[29151]: loading secrets from
> > "/etc/ipsec/ipsec.secrets"
> > Nov 29 08:06:36 testslave pluto[29151]: "cisco" #1: initiating Main Mode
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID
> > payload [FRAGMENTATION c0000000]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from
> > state
> > STATE_MAIN_I1 to state STATE_MAIN_I2
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I2: sent
> > MI2, expecting MR2
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID
> > payload [Cisco-Unity]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID
> > payload [XAUTH]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring unknown
> > Vendor ID payload [d3e6aae7997ac360bc9045ccb5c211db]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID
> > payload [Cisco VPN 3000 Series]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: I did not send a
> > certificate because I do not have one.
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from
> > state
> > STATE_MAIN_I2 to state STATE_MAIN_I3
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I3: sent
> > MI3, expecting MR3
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID
> > payload [Dead Peer Detection]
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: Main mode peer ID is
> > ID_IPV4_ADDR: '2.2.2.2'
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from
> > state
> > STATE_MAIN_I3 to state STATE_MAIN_I4
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I4:
> > ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #2: initiating Quick
> > Mode
> > PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received and ignored
> > informational message
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Delete SA
> > payload: deleting ISAKMP State #1
> > Nov 29 08:06:37 testslave pluto[29151]: packet from 2.2.2.2:500:
> > received and ignored informational message
> > 
> > 
> > Then I attempt to telnet:
> > Code:
> > 
> > # telnet 3.3.3.3 8888
> > Trying 3.3.3.3...
> > 
> > 
> > And the log:
> > Code:
> > 
> > Nov 29 08:06:44 testslave pluto[29151]: initiate on demand from
> > 1.1.1.1:0 to 3.3.3.3:0 proto=0 state: fos_start because: acquire
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: initiating Main Mode
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID
> > payload [FRAGMENTATION c0000000]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from
> > state
> > STATE_MAIN_I1 to state STATE_MAIN_I2
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I2: sent
> > MI2, expecting MR2
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID
> > payload [Cisco-Unity]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID
> > payload [XAUTH]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring unknown
> > Vendor ID payload [c5d84faa8d5901d3cc816c033fb9efb1]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID
> > payload [Cisco VPN 3000 Series]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: I did not send a
> > certificate because I do not have one.
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from
> > state
> > STATE_MAIN_I2 to state STATE_MAIN_I3
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I3: sent
> > MI3, expecting MR3
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID
> > payload [Dead Peer Detection]
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: Main mode peer ID is
> > ID_IPV4_ADDR: '2.2.2.2'
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from
> > state
> > STATE_MAIN_I3 to state STATE_MAIN_I4
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I4:
> > ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> > cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #4: initiating Quick
> > Mode
> > PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received and ignored
> > informational message
> > Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Delete SA
> > payload: deleting ISAKMP State #3
> > Nov 29 08:06:44 testslave pluto[29151]: packet from 2.2.2.2:500:
> > received and ignored informational message
> > 
> > 
> > 
> > So, clearly it is connected (the other side sees my connection too) but
> > I can not get any traffic through (the other side sees no traffic at
> > all)
> > 
> > Can anyone point me in the right direction?
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list