[Openswan Users] Openswan can not connect to Cisco ASA
Yiyun Meng
manfonly at gmail.com
Tue Dec 31 02:55:43 EST 2013
Hi,
My openswan version is U2.6.37, OS is fedora 16. I want to use openswan
as a client and Cisco ASA as a VPN server.
I use following URL as a reference:
http://binaryjunction.com/2010/05/07/openswan-vpn-client-cisco-servers/
Client ip: 10.140.28.12
Server ip:10.75.189.105
Here is my ipsec.conf:
version 2.0 # must support 2.0 openswan
# basic configuration
config setup
protostack=netkey
nat_traversal=yes
interfaces=%defaultroute
plutodebug=none
strictcrlpolicy=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
conn labVPN
type=tunnel
authby=secret
left=%defaultroute
leftid=@mum
leftxauthclient=yes
leftmodecfgclient=yes
leftxauthusername=VPNTester
right=10.75.189.105
remote_peer_type=cisco
rightxauthserver=yes
rightmodecfgserver=yes
modecfgpull=yes
keyexchange=ike
ike=3des-md5;modp1024
esp=3des-md5;modp1024
#ikelifetime=28800s
#keylife=60m
#compress=no
aggrmode=yes
pfs=no
auto=add
When I use ipsec auto ‹up labVPN, the output seems OKŠ
112 "labVPN" #1: STATE_AGGR_I1: initiate
003 "labVPN" #1: received Vendor ID payload [XAUTH]
003 "labVPN" #1: received Vendor ID payload [RFC 3947] method set to=109
003 "labVPN" #1: received Vendor ID payload [Dead Peer Detection]
003 "labVPN" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
004 "labVPN" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
004 "labVPN" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "labVPN" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "labVPN" #1: STATE_MAIN_I4: ISAKMP SA established
117 "labVPN" #2: STATE_QUICK_I1: initiate
But no tunnel up:
# /etc/init.d/ipsec status
IPsec running - pluto pid: 29480
pluto pid 29480
No tunnels up
# tail -20 /var/log/messages
Dec 31 15:42:21 localhost pluto[29480]: ike_alg_register_enc(): Activating
aes_gcm_16: FAILED (ret=-17)
Dec 31 15:42:21 localhost pluto[29480]: Changed path to directory
'/etc/ipsec.d/cacerts'
Dec 31 15:42:21 localhost pluto[29480]: loaded CA cert file 'cacert.pem'
(1025 bytes)
Dec 31 15:42:21 localhost pluto[29480]: Could not change to directory
'/etc/ipsec.d/aacerts': /
Dec 31 15:42:21 localhost pluto[29480]: Could not change to directory
'/etc/ipsec.d/ocspcerts': /
Dec 31 15:42:21 localhost pluto[29480]: Could not change to directory
'/etc/ipsec.d/crls'
Dec 31 15:42:21 localhost pluto[29480]: added connection description
"labVPN"
Dec 31 15:42:21 localhost ipsec__plutorun: 002 added connection description
"labVPN"
Dec 31 15:42:21 localhost pluto[29480]: listening for IKE messages
Dec 31 15:42:21 localhost pluto[29480]: adding interface eth0/eth0
10.140.28.12:500
Dec 31 15:42:21 localhost pluto[29480]: adding interface eth0/eth0
10.140.28.12:4500
Dec 31 15:42:21 localhost pluto[29480]: adding interface lo/lo 127.0.0.1:500
Dec 31 15:42:21 localhost pluto[29480]: adding interface lo/lo
127.0.0.1:4500
Dec 31 15:42:21 localhost pluto[29480]: adding interface lo/lo ::1:500
Dec 31 15:42:21 localhost pluto[29480]: loading secrets from
"/etc/ipsec.secrets"
Dec 31 15:42:31 localhost pluto[29480]: packet from 10.75.189.105:500: Quick
Mode message is for a non-existent (expired?) ISAKMP SA
I think my ASA setting is OK, because I can use vpnc to establish the
connection.
Regards,
Yiyun
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20131231/d8a24484/attachment.html>
More information about the Users
mailing list