[Openswan Users] Problem with OpenSWAN connecting to Cisco router
Harwinder Sidhu
harwinder.sidhu at utradesolutions.com
Mon Oct 28 09:55:43 UTC 2013
Hi,
I'm trying to make a IPSEC connection with a remote host running on a Cisco device, and we need to setup a GRE tunnel for multicast data. Here is the setup that we have:
(A) (B)
| |
| |
| |
| +-----------+ +----------+ |
| | | | | |
|-------++ OpenSWAN ++---Internet-----++ Cisco ++--------+
| || || || | |
| |+-----------+| |+----------+ |
| | | | |
| | | | |
| 10.0.0.40 115.247.A.A 115.254.X.X |
| |
10.0.0.0/16 10.7.121.4/30
Additionally, I have been given the following parameters by the remote end (B):
WAN IP : - 115.254.X.X
Tunnel IP B end : - 10.7.121.1/30
Tunnel IP A end : - 10.7.121.2/30
Encryption : - 3des
Authentication : - pre-shared
group : - 2
LAN IP : - 10.7.121.4/30
When I try to connect to the remote end, I get the following messages.
[hss at trinity /etc ]$ sudo service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-358.6.1.el6.x86_64...
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[hss at trinity /etc ]$ sudo ipsec auto --add BBB
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[hss at trinity /etc ]$ sudo ipsec auto --down BBB
[hss at trinity /etc ]$ sudo ipsec auto --up BBB
104 "BBB" #3: STATE_MAIN_I1: initiate
106 "BBB" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "BBB" #3: received Vendor ID payload [Cisco-Unity]
003 "BBB" #3: received Vendor ID payload [Dead Peer Detection]
003 "BBB" #3: ignoring unknown Vendor ID payload [b426e40544fd525f3b72a2752f85df94]
003 "BBB" #3: received Vendor ID payload [XAUTH]
108 "BBB" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "BBB" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "BBB" #4: STATE_QUICK_I1: initiate
010 "BBB" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "BBB" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "BBB" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "BBB" #4: starting keying attempt 2 of an unlimited number, but releasing whack
Can anyone have a look at my config and suggest as to what am I doing wrong here? Any help would be appreciated.
Thanks in advance.
Below is my config file:
[hss at trinity /etc ]$ sudo cat /etc/ipsec.conf
version 2.0
config setup
protostack=netkey
plutodebug=all
conn BBB
auto=start
type=tunnel
authby=secret
ike=3des-sha1;modp1024
ikelifetime=1h
esp=3des-sha1
keylife=1h
pfs=no
###our gateway
left=115.249.A.A
leftnexthop=115.249.A.B
leftsubnet=10.0.0.0/16
leftsourceip=10.7.121.2
leftprotoport=47/0
###remote peer
right=115.254.X.X
rightnexthop=10.7.121.1
rightsubnet=10.7.121.4/30
rightsourceip=10.7.121.1
rightprotoport=47/0
[hss at trinity ~ ]$ sudo ipsec --version
Linux Openswan U2.6.32/K2.6.32-358.6.1.el6.x86_64 (netkey)
See `ipsec --copyright' for copyright information.
[hss at trinity /etc ]$ sudo iptunnel show
gre0: gre/ip remote any local any ttl inherit nopmtudisc
BBBtun: gre/ip remote 115.254.X.X local 115.249.A.A dev em2 ttl 255
[hss at trinity /etc ]$ sudo ifconfig
BBBtun Link encap:UNSPEC HWaddr 73-F9-D9-9B-FF-FF-80-2D-00-00-00-00-00-00-00-00
inet addr:10.7.121.2 P-t-P:10.7.121.1 Mask:255.255.255.252
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1420 Metric:1
[hss at trinity /etc ]$ sudo netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.7.121.1 10.7.121.2 255.255.255.255 UGH 0 0 0 BBBtun
10.7.121.0 10.7.121.2 255.255.255.252 UG 0 0 0 BBBtun
10.7.121.0 0.0.0.0 255.255.255.252 U 0 0 0 BBBtun
115.249.A.C 0.0.0.0 255.255.255.248 U 0 0 0 em2
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 em1
0.0.0.0 115.249.A.B 0.0.0.0 UG 0 0 0 em2
Best Regards,
Harwinder
More information about the Users
mailing list