[Openswan Users] VPN newbie trying to do site to site with Cisco ASA
Neal Murphy
neal.p.murphy at alum.wpi.edu
Wed Nov 30 17:47:58 EST 2011
On Wednesday 30 November 2011 17:16:08 Nick Wiltshire wrote:
> #protostack=netkey
Try uncommenting this. You may need to specify which stack to use.
> pfs=yes
Is this OK? ISTR problems with PFS mentioned in this list.
> > Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring
> > informational payload, type NO_PROPOSAL_CHOSEN
The other end doesn't like any of your proposals, meaning there is a mismatch
between the Cisco and openswan. Cisco seems to want SHA, but also uses MD5
(ESP-MD5-HMAC).
But worse, you seem to be using the same (protected) subnet on each side; this
shouldn't work (without more effort). You seem to be using the same gateway
(nexthop) on each side; the hexthop should be the next gateway toward the
remote.
In general terms,
- left: (public) IP address of the node running IPSEC
- leftsubnet: the (protected) LAN behind left's end of the IPSEC tunnel;
more technically, I think these are the addresses that will be sent
through the tunnel
- leftnexthop: the next gateway toward the right side
- right: (public) IP address of the node running IPSEC
- rightsubnet: the (protected) LAN behind right's end of the tunnel
- rightnexthop: the next gateway toward the left side
Only, and all, traffic between leftsubnet and rightsubnet will be sent through
the tunnel; both sides need to know these addresses.
Each side needs to know the nexthop (gateway) toward the other side.
The proposed encryption schemes must match up. That is, each sides proposals
must *intersect* before they can securely communicate.
More information about the Users
mailing list