[Openswan Users] How to configure leftprotoport in openswan to allow more arguments

Patrick Naubert patrickn at xelerance.com
Sun Oct 21 07:39:16 EDT 2012


Rescued from the Spam bucket. Please remember to register to the list before posting to it.

Begin forwarded message:

From: Sury Bu <bxb at ewell.cc>
Subject: How to configure leftprotoport in openswan to allow more arguments
Date: 21 October, 2012 5:57:50 AM EDT
To: users at lists.openswan.org


Hi, All

I want to setup a IPSec site to site VPN between cisco ASA5510 and openswan on CentOS 5.6 x86_64.

Main mode SA created fine, but Quick mode has some problems. Follow is the information appeared on console.

[root at www ipsec.d]# ipsec auto --up ewelltouh
104 "ewelltouh" #232: STATE_MAIN_I1: initiate
003 "ewelltouh" #232: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
003 "ewelltouh" #232: ignoring Vendor ID payload [FRAGMENTATION c0000000]
106 "ewelltouh" #232: STATE_MAIN_I2: sent MI2, expecting MR2
003 "ewelltouh" #232: received Vendor ID payload [Cisco-Unity]
003 "ewelltouh" #232: received Vendor ID payload [XAUTH]
003 "ewelltouh" #232: ignoring unknown Vendor ID payload [a08969c77ff5cd61665e49a075633fa4]
003 "ewelltouh" #232: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "ewelltouh" #232: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
108 "ewelltouh" #232: STATE_MAIN_I3: sent MI3, expecting MR3
003 "ewelltouh" #232: received Vendor ID payload [Dead Peer Detection]
004 "ewelltouh" #232: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
117 "ewelltouh" #233: STATE_QUICK_I1: initiate
010 "ewelltouh" #233: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "ewelltouh" #233: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "ewelltouh" #233: max number of retransmissions (2) reached STATE_QUICK_I1.No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "ewelltouh" #233: starting keying attempt 2 of an unlimited number, but releasing whack

And here is my ewelltouh connection's configuration file:

conn ewelltouh
        type=tunnel
        authby=secret
        left=[CentOS Public IP Address]
        leftsubnet=172.16.66.254/32
        leftnexthop=[CentOS Public IP Address]
        leftprotoport=icmp
        leftsourceip=172.16.66.254
        right=[ASA5510 Public IP Address]
        rightsubnet=192.168.248.78/32
        rightnexthop=%defaultroute
        rightprotoport=icmp
        ike=aes256-sha1;modp1024
        ikelifetime=8h
        phase2=esp
        phase2alg=aes256-null,aes256-sha1,aes256-md5,aes-null,aes-sha1,aes128-null,aes128-sha1
        salifetime=1h

The ASA5510 side tell me there is no HMAC used(), only use encryption AES 256 on ESP.

I have post a topic on Cisco support, they tell me ESP can not use HMAC also it is not recommend.

So I think I should use aes256-null to match this way. 

My question is does leftprotoport arguments will used in proposal? And there arguments must matched each side? 

And remote side(ASA5510) allow tcp port 80 and icmp. What is the leftprotoport configure format that I can let leftprotoport allow tcp port 80 and icmp in my CentOS side?

Thanks,
Sury Bu



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20121021/21ab4fe9/attachment.html>


More information about the Users mailing list