[Openswan Users] openswan to cisco 3000, newbie need help

Peter Laszlo lotzi.peter at gmail.com
Wed Aug 8 10:39:55 EDT 2012 

Hi everyone,

I'm trying to setup a VPN connection between our Centos server and a 
Cisco 3000 Concentrator.
They gave me the following informations:
IKE (ISAKMP) 	
	
Key Negotiation Encryption Algorithm 	AES-256
Hashing Algorithm 	SHA/HMAC-160
Diffie-Hellman group 	Group 2
Negotiation Mode 	Main
Lifetime Measurement sec 	86400

	

	
IPSec 	
	
Transform 	Encryption + Data Integrity - ESP
Encryption Algorithm 	AES-256
Data integrity Hashing Algorithm 	SHA/HMAC-160
Perfect Forward Secrecy 	Disabled
Encapsulation Mode 	Tunnel
Lifetime Measurement sec 	28800


So I setup my ipsec.conf in the following way:

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
         protostack=netkey
         nat_traversal=no
         virtual_private=
         oe=off
         # Enable this if you see "failed to find any available worker"
         # nhelpers=0

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and 
uncomment this.
#include /etc/ipsec.d/*.conf

conn otwovpn
         type=tunnel
         left=78.47.14.195
         right=160.218.24.2
         ike=aes256-sha1;modp1024
         phase2alg=aes256-sha1;modp1024
         ikelifetime=24h
         pfs=no
         auto=start
         authby=secret

I added the preshared key into the /etc/insec.d/o2vpn.conf
The iptables looks the following way:
  iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp 
dpt:ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            udp 
dpt:ipsec-nat-t
ACCEPT     udp  --  anywhere             anywhere            udp dpt:isakmp

But when I start up the ipsec service no tunnel it's getting made.
Starting Pluto subsystem...
Aug  8 16:30:54 www pluto[1072]: nss directory plutomain: /etc/ipsec.d
Aug  8 16:30:54 www pluto[1072]: NSS Initialized
Aug  8 16:30:54 www pluto[1072]: Non-fips mode set in 
/proc/sys/crypto/fips_enabled
Aug  8 16:30:54 www pluto[1072]: Starting Pluto (Openswan Version 
2.6.32; Vendor ID OEhyLdACecfa) pid:1072
Aug  8 16:30:54 www pluto[1072]: Non-fips mode set in 
/proc/sys/crypto/fips_enabled
Aug  8 16:30:54 www pluto[1072]: LEAK_DETECTIVE support [disabled]
Aug  8 16:30:54 www pluto[1072]: OCF support for IKE [disabled]
Aug  8 16:30:54 www pluto[1072]: SAref support [disabled]: Protocol not 
available
Aug  8 16:30:54 www pluto[1072]: SAbind support [disabled]: Protocol not 
available
Aug  8 16:30:54 www pluto[1072]: NSS support [enabled]
Aug  8 16:30:54 www pluto[1072]: HAVE_STATSD notification support not 
compiled in
Aug  8 16:30:54 www pluto[1072]: Setting NAT-Traversal port-4500 
floating to off
Aug  8 16:30:54 www pluto[1072]:    port floating activation criteria 
nat_t=0/port_float=1
Aug  8 16:30:54 www pluto[1072]:    NAT-Traversal support [disabled]
Aug  8 16:30:54 www pluto[1072]: 1 bad entries in virtual_private - none 
loaded
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: starting up 1 cryptographic helpers
Aug  8 16:30:54 www pluto[1072]: started helper (thread) 
pid=139998973691648 (fd:10)
Aug  8 16:30:54 www pluto[1072]: Using Linux 2.6 IPsec interface code on 
2.6.32-220.7.1.el6.x86_64 (experimental code)
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
aes_ccm_8: Ok (ret=0)
Aug  8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm already 
exists
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
aes_ccm_12: FAILED (ret=-17)
Aug  8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm already 
exists
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
aes_ccm_16: FAILED (ret=-17)
Aug  8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm already 
exists
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
aes_gcm_8: FAILED (ret=-17)
Aug  8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm already 
exists
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
aes_gcm_12: FAILED (ret=-17)
Aug  8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm already 
exists
Aug  8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating 
aes_gcm_16: FAILED (ret=-17)
Aug  8 16:30:54 www pluto[1072]: Could not change to directory 
'/etc/ipsec.d/cacerts': /
Aug  8 16:30:54 www pluto[1072]: Could not change to directory 
'/etc/ipsec.d/aacerts': /
Aug  8 16:30:54 www pluto[1072]: Could not change to directory 
'/etc/ipsec.d/ocspcerts': /
Aug  8 16:30:54 www pluto[1072]: Could not change to directory 
'/etc/ipsec.d/crls'
Aug  8 16:30:54 www pluto[1072]: | selinux support is NOT enabled.
Aug  8 16:30:54 www pluto[1072]: Non-fips mode set in 
/proc/sys/crypto/fips_enabled
Aug  8 16:30:54 www pluto[1072]: Non-fips mode set in 
/proc/sys/crypto/fips_enabled
Aug  8 16:30:54 www pluto[1072]: added connection description "otwovpn"
Aug  8 16:30:54 www pluto[1072]: listening for IKE messages
Aug  8 16:30:54 www pluto[1072]: adding interface eth0/eth0 78.47.14.195:500
Aug  8 16:30:54 www pluto[1072]: adding interface lo/lo 127.0.0.1:500
Aug  8 16:30:54 www pluto[1072]: adding interface lo/lo ::1:500
Aug  8 16:30:54 www pluto[1072]: loading secrets from "/etc/ipsec.secrets"
Aug  8 16:30:54 www pluto[1072]: loading secrets from 
"/etc/ipsec.d/o2vpn.secrets"
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: initiating Main Mode
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: ignoring Vendor ID 
payload [FRAGMENTATION c0000000]
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: received Vendor ID 
payload [Cisco-Unity]
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: received Vendor ID 
payload [XAUTH]
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: ignoring unknown Vendor 
ID payload [45bfb36d8ba8a9e8a222c0d844bf4fed]
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: ignoring Vendor ID 
payload [Cisco VPN 3000 Series]
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: received Vendor ID 
payload [Dead Peer Detection]
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: Main mode peer ID is 
ID_IPV4_ADDR: '160.218.24.2'
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha 
group=modp1024}
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 
msgid:35c07df7 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Aug  8 16:30:54 www pluto[1072]: "otwovpn" #1: received Delete SA 
payload: deleting ISAKMP State #1
Aug  8 16:30:54 www pluto[1072]: packet from 160.218.24.2:500: received 
and ignored informational message

I asked for the log file from the windows server and that look like the 
following:

vpn01.log - Aug  6 12:42:36 vpn01 -973619477 08/06/2012 12:42:36.350 
SEV=4 IKE/119 RPT=1644046 78.47.14.195  Group [78.47.14.195] PHASE 1 
COMPLETED

vpn01.log - Aug  6 12:42:36 vpn01 -973619476 08/06/2012 12:42:36.350 
SEV=6 IKE/121 RPT=1644046 78.47.14.195  Keep-alive type for this 
connection: DPD

vpn01.log - Aug  6 12:42:36 vpn01 -973619467 08/06/2012 12:42:36.350 
SEV=4 AUTH/22 RPT=1247461  User [78.47.14.195] Group [78.47.14.195] 
connected, Session Type: IPSec/LAN-to-LAN

vpn01.log - Aug  6 12:42:36 vpn01 -973619465 08/06/2012 12:42:36.350 
SEV=4 AUTH/84 RPT=1238344  LAN-to-LAN tunnel to headend device 
78.47.14.195 connected

vpn01.log - Aug  6 12:42:36 vpn01 -973619450 08/06/2012 12:42:36.370 
SEV=4 IKEDBG/97 RPT=15682315 78.47.14.195  Group [78.47.14.195] QM FSM 
error (P2 struct &0x1922ab68, mess id 0x82c5db7c)!

vpn01.log - Aug  6 12:42:36 vpn01 -973619424 08/06/2012 12:42:36.380 
SEV=4 AUTH/23 RPT=1237593 78.47.14.195  User [78.47.14.195] Group 
[78.47.14.195] disconnected: duration: 0:00:00

vpn01.log - Aug  6 12:42:36 vpn01 -973619423 08/06/2012 12:42:36.380 
SEV=4 AUTH/85 RPT=1237583 LAN-to-LAN tunnel to headend device 
78.47.14.195 disconnected: duration: 0:00:00

Any help I kindly appreciate it!
Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120808/b120db42/attachment-0001.html>

More information about the Users mailing list