[Openswan Users] openswan to cisco 3000, newbie need help
Peter Laszlo
lotzi.peter at gmail.com
Thu Aug 9 03:19:06 EDT 2012
Hi Dan,
Thank you for your answer.
I asked for the config on the cisco side and they gave me this screenshot:
cisco config
It seems ok to me, but maybe they have to setup something at the IKE
Proposals too...
On 09.08.2012 00:18, Daniel Cave wrote:
> Peter,
>
> Check this out. I googled the error message on the Cisco VPN side.
>
> https://www.google.co.uk/search?q=cisco+vpn+QM+FSM+error+(P2+struct&oq=cisco+vpn+QM+FSM+error+(P2+struct&sugexp=chrome,mod=8&sourceid=chrome&ie=UTF-8
> <https://www.google.co.uk/search?q=cisco+vpn+QM+FSM+error+%28P2+struct&oq=cisco+vpn+QM+FSM+error+%28P2+struct&sugexp=chrome,mod=8&sourceid=chrome&ie=UTF-8>
>
> Are you sure the crypto map on the cisco side is setup correctly? Get
> a copy of the config? I've not seen this error before as my
> experience is mostly on the PIX/ASA/cisco routers but it looks *like*
> a config problem
>
> https://learningnetwork.cisco.com/thread/41035
>
> Dan
>
> On 8 Aug 2012, at 15:39, Peter Laszlo <lotzi.peter at gmail.com
> <mailto:lotzi.peter at gmail.com>> wrote:
>
>> Hi everyone,
>>
>> I'm trying to setup a VPN connection between our Centos server and a
>> Cisco 3000 Concentrator.
>> They gave me the following informations:
>> IKE (ISAKMP)
>>
>> Key Negotiation Encryption Algorithm AES-256
>> Hashing Algorithm SHA/HMAC-160
>> Diffie-Hellman group Group 2
>> Negotiation Mode Main
>> Lifetime Measurement sec 86400
>>
>>
>>
>>
>> IPSec
>>
>> Transform Encryption + Data Integrity - ESP
>> Encryption Algorithm AES-256
>> Data integrity Hashing Algorithm SHA/HMAC-160
>> Perfect Forward Secrecy Disabled
>> Encapsulation Mode Tunnel
>> Lifetime Measurement sec 28800
>>
>>
>> So I setup my ipsec.conf in the following way:
>>
>> # basic configuration
>> config setup
>> # Debug-logging controls: "none" for (almost) none, "all"
>> for lots.
>> # klipsdebug=none
>> # plutodebug="control parsing"
>> # For Red Hat Enterprise Linux and Fedora, leave
>> protostack=netkey
>> protostack=netkey
>> nat_traversal=no
>> virtual_private=
>> oe=off
>> # Enable this if you see "failed to find any available worker"
>> # nhelpers=0
>>
>> #You may put your configuration (.conf) file in the "/etc/ipsec.d/"
>> and uncomment this.
>> #include /etc/ipsec.d/*.conf
>>
>> conn otwovpn
>> type=tunnel
>> left=78.47.14.195
>> right=160.218.24.2
>> ike=aes256-sha1;modp1024
>> phase2alg=aes256-sha1;modp1024
>> ikelifetime=24h
>> pfs=no
>> auto=start
>> authby=secret
>>
>> I added the preshared key into the /etc/insec.d/o2vpn.conf
>> The iptables looks the following way:
>> iptables --list
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
>> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT ah -- anywhere anywhere
>> ACCEPT esp -- anywhere anywhere
>> ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
>> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
>>
>> But when I start up the ipsec service no tunnel it's getting made.
>> Starting Pluto subsystem...
>> Aug 8 16:30:54 www pluto[1072]: nss directory plutomain: /etc/ipsec.d
>> Aug 8 16:30:54 www pluto[1072]: NSS Initialized
>> Aug 8 16:30:54 www pluto[1072]: Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>> Aug 8 16:30:54 www pluto[1072]: Starting Pluto (Openswan Version
>> 2.6.32; Vendor ID OEhyLdACecfa) pid:1072
>> Aug 8 16:30:54 www pluto[1072]: Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>> Aug 8 16:30:54 www pluto[1072]: LEAK_DETECTIVE support [disabled]
>> Aug 8 16:30:54 www pluto[1072]: OCF support for IKE [disabled]
>> Aug 8 16:30:54 www pluto[1072]: SAref support [disabled]: Protocol
>> not available
>> Aug 8 16:30:54 www pluto[1072]: SAbind support [disabled]: Protocol
>> not available
>> Aug 8 16:30:54 www pluto[1072]: NSS support [enabled]
>> Aug 8 16:30:54 www pluto[1072]: HAVE_STATSD notification support not
>> compiled in
>> Aug 8 16:30:54 www pluto[1072]: Setting NAT-Traversal port-4500
>> floating to off
>> Aug 8 16:30:54 www pluto[1072]: port floating activation criteria
>> nat_t=0/port_float=1
>> Aug 8 16:30:54 www pluto[1072]: NAT-Traversal support [disabled]
>> Aug 8 16:30:54 www pluto[1072]: 1 bad entries in virtual_private -
>> none loaded
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> OAKLEY_TWOFISH_CBC: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> OAKLEY_SERPENT_CBC: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> OAKLEY_AES_CBC: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> OAKLEY_BLOWFISH_CBC: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_hash(): Activating
>> OAKLEY_SHA2_512: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_hash(): Activating
>> OAKLEY_SHA2_256: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: starting up 1 cryptographic helpers
>> Aug 8 16:30:54 www pluto[1072]: started helper (thread)
>> pid=139998973691648 (fd:10)
>> Aug 8 16:30:54 www pluto[1072]: Using Linux 2.6 IPsec interface code
>> on 2.6.32-220.7.1.el6.x86_64 (experimental code)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> aes_ccm_8: Ok (ret=0)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm
>> already exists
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> aes_ccm_12: FAILED (ret=-17)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm
>> already exists
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> aes_ccm_16: FAILED (ret=-17)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm
>> already exists
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> aes_gcm_8: FAILED (ret=-17)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm
>> already exists
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> aes_gcm_12: FAILED (ret=-17)
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_add(): ERROR: Algorithm
>> already exists
>> Aug 8 16:30:54 www pluto[1072]: ike_alg_register_enc(): Activating
>> aes_gcm_16: FAILED (ret=-17)
>> Aug 8 16:30:54 www pluto[1072]: Could not change to directory
>> '/etc/ipsec.d/cacerts': /
>> Aug 8 16:30:54 www pluto[1072]: Could not change to directory
>> '/etc/ipsec.d/aacerts': /
>> Aug 8 16:30:54 www pluto[1072]: Could not change to directory
>> '/etc/ipsec.d/ocspcerts': /
>> Aug 8 16:30:54 www pluto[1072]: Could not change to directory
>> '/etc/ipsec.d/crls'
>> Aug 8 16:30:54 www pluto[1072]: | selinux support is NOT enabled.
>> Aug 8 16:30:54 www pluto[1072]: Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>> Aug 8 16:30:54 www pluto[1072]: Non-fips mode set in
>> /proc/sys/crypto/fips_enabled
>> Aug 8 16:30:54 www pluto[1072]: added connection description "otwovpn"
>> Aug 8 16:30:54 www pluto[1072]: listening for IKE messages
>> Aug 8 16:30:54 www pluto[1072]: adding interface eth0/eth0
>> 78.47.14.195:500
>> Aug 8 16:30:54 www pluto[1072]: adding interface lo/lo 127.0.0.1:500
>> Aug 8 16:30:54 www pluto[1072]: adding interface lo/lo ::1:500
>> Aug 8 16:30:54 www pluto[1072]: loading secrets from
>> "/etc/ipsec.secrets"
>> Aug 8 16:30:54 www pluto[1072]: loading secrets from
>> "/etc/ipsec.d/o2vpn.secrets"
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: initiating Main Mode
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: ignoring Vendor ID
>> payload [FRAGMENTATION c0000000]
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: transition from state
>> STATE_MAIN_I1 to state STATE_MAIN_I2
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: STATE_MAIN_I2: sent
>> MI2, expecting MR2
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: received Vendor ID
>> payload [Cisco-Unity]
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: received Vendor ID
>> payload [XAUTH]
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: ignoring unknown
>> Vendor ID payload [45bfb36d8ba8a9e8a222c0d844bf4fed]
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: ignoring Vendor ID
>> payload [Cisco VPN 3000 Series]
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: transition from state
>> STATE_MAIN_I2 to state STATE_MAIN_I3
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: STATE_MAIN_I3: sent
>> MI3, expecting MR3
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: received Vendor ID
>> payload [Dead Peer Detection]
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: Main mode peer ID is
>> ID_IPV4_ADDR: '160.218.24.2'
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: transition from state
>> STATE_MAIN_I3 to state STATE_MAIN_I4
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: STATE_MAIN_I4: ISAKMP
>> SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256
>> prf=oakley_sha group=modp1024}
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #2: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1
>> msgid:35c07df7 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
>> Aug 8 16:30:54 www pluto[1072]: "otwovpn" #1: received Delete SA
>> payload: deleting ISAKMP State #1
>> Aug 8 16:30:54 www pluto[1072]: packet from 160.218.24.2:500:
>> received and ignored informational message
>>
>> I asked for the log file from the windows server and that look like
>> the following:
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619477 08/06/2012 12:42:36.350
>> SEV=4 IKE/119 RPT=1644046 78.47.14.195 Group [78.47.14.195] PHASE 1
>> COMPLETED
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619476 08/06/2012 12:42:36.350
>> SEV=6 IKE/121 RPT=1644046 78.47.14.195 Keep-alive type for this
>> connection: DPD
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619467 08/06/2012 12:42:36.350
>> SEV=4 AUTH/22 RPT=1247461 User [78.47.14.195] Group [78.47.14.195]
>> connected, Session Type: IPSec/LAN-to-LAN
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619465 08/06/2012 12:42:36.350
>> SEV=4 AUTH/84 RPT=1238344 LAN-to-LAN tunnel to headend device
>> 78.47.14.195 connected
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619450 08/06/2012 12:42:36.370
>> SEV=4 IKEDBG/97 RPT=15682315 78.47.14.195 Group [78.47.14.195] QM
>> FSM error (P2 struct &0x1922ab68, mess id 0x82c5db7c)!
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619424 08/06/2012 12:42:36.380
>> SEV=4 AUTH/23 RPT=1237593 78.47.14.195 User [78.47.14.195] Group
>> [78.47.14.195] disconnected: duration: 0:00:00
>>
>> vpn01.log - Aug 6 12:42:36 vpn01 -973619423 08/06/2012 12:42:36.380
>> SEV=4 AUTH/85 RPT=1237583 LAN-to-LAN tunnel to headend device
>> 78.47.14.195 disconnected: duration: 0:00:00
>>
>> Any help I kindly appreciate it!
>> Thank you!
>> _______________________________________________
>> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> Kindest Regards
>
> Daniel Cave
> Director
>
> " If you want IT doing right, Call Fahrenheit "
>
> Fahrenheit IT Services
> For all your Business and Residential Technology Needs and support
> services
>
> http://www.fahrenheit-it.com
> Tel: 01202 694433
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120809/69976ce1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 183830 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20120809/69976ce1/attachment-0001.png>
More information about the Users
mailing list