[Openswan Users] Problem with OpenSWAN connecting to Cisco router

Harwinder Sidhu harwinder.sidhu at utradesolutions.com
Mon Oct 28 09:55:43 UTC 2013


Hi,

I'm trying to make a IPSEC connection with a remote host running on a Cisco device, and we need to setup a GRE tunnel for multicast data. Here is the setup that we have:

 (A)                                                         (B)
 |                                                            |
 |                                                            |
 |                                                            |
 |        +-----------+                  +----------+         |
 |        |           |                  |          |         |
 |-------++ OpenSWAN  ++---Internet-----++ Cisco    ++--------+
 |       ||           ||                ||          |         |
 |       |+-----------+|                |+----------+         |
 |       |             |                |                     |
 |       |             |                |                     |
 |  10.0.0.40   115.247.A.A          115.254.X.X              |
 |                                                            |
10.0.0.0/16                                            10.7.121.4/30


Additionally, I have been given the following parameters by the remote end (B):

WAN IP          : - 115.254.X.X
Tunnel IP B end : - 10.7.121.1/30
Tunnel IP A end : - 10.7.121.2/30
Encryption      : - 3des
Authentication  : - pre-shared
group           : - 2
LAN IP          : - 10.7.121.4/30

When I try to connect to the remote end, I get the following messages.

[hss at trinity /etc ]$ sudo service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.6.1.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[hss at trinity /etc ]$ sudo ipsec auto --add BBB
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[hss at trinity /etc ]$ sudo ipsec auto --down BBB
[hss at trinity /etc ]$ sudo ipsec auto --up BBB
104 "BBB" #3: STATE_MAIN_I1: initiate
106 "BBB" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "BBB" #3: received Vendor ID payload [Cisco-Unity]
003 "BBB" #3: received Vendor ID payload [Dead Peer Detection]
003 "BBB" #3: ignoring unknown Vendor ID payload [b426e40544fd525f3b72a2752f85df94]
003 "BBB" #3: received Vendor ID payload [XAUTH]
108 "BBB" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "BBB" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "BBB" #4: STATE_QUICK_I1: initiate
010 "BBB" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "BBB" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "BBB" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "BBB" #4: starting keying attempt 2 of an unlimited number, but releasing whack

Can anyone have a look at my config and suggest as to what am I doing wrong here? Any help would be appreciated.

Thanks in advance.

Below is my config file:
[hss at trinity /etc ]$ sudo cat /etc/ipsec.conf

version	2.0

config setup
	protostack=netkey
        plutodebug=all

conn BBB
        auto=start
        type=tunnel
        authby=secret
        ike=3des-sha1;modp1024
        ikelifetime=1h
        esp=3des-sha1
        keylife=1h
        pfs=no
        ###our gateway
        left=115.249.A.A
        leftnexthop=115.249.A.B
        leftsubnet=10.0.0.0/16
        leftsourceip=10.7.121.2
        leftprotoport=47/0
        ###remote peer
        right=115.254.X.X
        rightnexthop=10.7.121.1
        rightsubnet=10.7.121.4/30
        rightsourceip=10.7.121.1
        rightprotoport=47/0

[hss at trinity ~ ]$ sudo ipsec --version
Linux Openswan U2.6.32/K2.6.32-358.6.1.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.

[hss at trinity /etc ]$ sudo iptunnel show
gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc
BBBtun: gre/ip  remote 115.254.X.X  local 115.249.A.A  dev em2  ttl 255

[hss at trinity /etc ]$ sudo ifconfig
BBBtun    Link encap:UNSPEC  HWaddr 73-F9-D9-9B-FF-FF-80-2D-00-00-00-00-00-00-00-00
          inet addr:10.7.121.2  P-t-P:10.7.121.1  Mask:255.255.255.252
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1420  Metric:1

[hss at trinity /etc ]$ sudo netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.7.121.1      10.7.121.2      255.255.255.255 UGH       0 0          0 BBBtun
10.7.121.0      10.7.121.2      255.255.255.252 UG        0 0          0 BBBtun
10.7.121.0      0.0.0.0         255.255.255.252 U         0 0          0 BBBtun
115.249.A.C     0.0.0.0         255.255.255.248 U         0 0          0 em2
10.0.0.0        0.0.0.0         255.0.0.0       U         0 0          0 em1
0.0.0.0         115.249.A.B     0.0.0.0         UG        0 0          0 em2

Best Regards,
Harwinder



More information about the Users mailing list