[Openswan Users] openswan

Efstathios Kalyvas savilak at gmail.com
Mon Aug 6 02:56:00 EDT 2012 

Hello,

I am trying from a linux box to setup an IPsec to a cisco ASA 5520. Cisco
is managed from a telco opeartor.

My ipsec.conf is (based on the telco specs file i attach):

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        protostack=netkey
        nat_traversal=no
        #virtual_private=
        #oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0

conn cyta
        type=tunnel
        #Define your IKEI policy
        authby=secret
        pfs=no
        ike=3des-sha1;modp1024
        ikelifetime="86400"
        #Define IPSec policy
        phase2=esp
        phase2alg=3des-sha1
        #ah=hmac-sha1
        keylife="3600"
        #ikev2=insist
        # Left security Linux, (Linux side)
        left= 198.101.222.60 #REAL IP LINUX SERVER
        leftsubnet= 198.101.222.0/24 #Net address assigned to the other side
        leftnexthop= 198.101.222.60 #Real IP Gateway
        # Right security gateway, (ASA SIDE)
        right= 212.31.96.133 # ASA IP
        rightsubnet= 212.31.96.0/24 # Net address assigned to the other side
        rightnexthop= 212.31.96.135 #Real IP Gateway
        # Type of cryptogrphy used on the VPN Tunnel
        #keyexchange= ike
        auto= start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
#include /etc/ipsec.d/*.conf


The output I get is:

Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface eth1/eth1
10.178.111.55:500
Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface eth0/eth0
198.101.222.60:500
Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface lo/lo 127.0.0.1:500
Aug  5 17:35:20 apllo-i1 pluto[21371]: adding interface lo/lo ::1:500
Aug  5 17:35:20 apllo-i1 pluto[21371]: loading secrets from
"/etc/ipsec.secrets"
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: initiating Main Mode
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring Vendor ID
payload [FRAGMENTATION c0000000]
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Vendor ID
payload [Cisco-Unity]
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Vendor ID
payload [XAUTH]
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring unknown Vendor
ID payload [07d0985db9d41de43dc9b2c01cd3102f]
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring Vendor ID
payload [Cisco VPN 3000 Series]
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Vendor ID
payload [Dead Peer Detection]
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: Main mode peer ID is
ID_IPV4_ADDR: '212.31.96.133'
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:29f85155
proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: ignoring informational
payload, type INVALID_ID_INFORMATION msgid=00000000
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received and ignored
informational message
Aug  5 17:35:20 apllo-i1 pluto[21371]: "cyta" #1: received Delete SA
payload: deleting ISAKMP State #1
Aug  5 17:35:20 apllo-i1 pluto[21371]: packet from 212.31.96.133:500:
received and ignored informational message

Can you please verify that I've set the ipsec.conf file correctly? I
believe so.
Can this  "INVALID_ID_INFORMATION" error message be related to a bug issue?

I would much appreciate your input on this.

Regards
Savilak
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120806/2138a853/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IPSec Specs.jpg
Type: image/jpeg
Size: 114717 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20120806/2138a853/attachment-0001.jpg>

More information about the Users mailing list