[Openswan Users] ASA multiple subnets problem

Hickman, Daren daren.hickman at siemens.com
Thu Jan 16 15:19:51 EST 2014 

I have openswan ver 2.6.28 connecting to an Cisco ASA 5510's running version 8.4.  The openswan side has 1 subnet and the ASA side has four subnets so 4 tunnels are expected but only one tunnel comes up.  The cisco gives error processing payload; payload ID 1.  The openswan gives received and ignored informational payload No_Proposal_Chosen msgid=00000000


The openswan side of the connection is



conn CHRSUB
        authby=secret
        auto=start
        phase2=esp
        phase2alg=aes192-sha1;modp1024
        ike=aes192-sha1;modp1024
        left=166.251.X.X
        leftsubnet=172.31.6.0/24
        leftupdown="ipsec _updown --route yes"
        pfs=no
        right=216.77.X.X
        rightsubnets={10.1.0.0/16 10.20.30.0/24 10.4.1.0/24 172.22.0.0/24}
        rightupdown="ipsec _updown --route yes"
        type=tunnel


The ASA config is below
CORPORATE VPN SUBNETS
object-group network NET-CORP-VPN
network-object 10.1.0.0 255.255.0.0
network-object 10.4.1.0 255.255.255.0
network-object 10.20.30.0 255.255.255.0
network-object 172.22.0.0 255.255.255.0

--SUBSTATION VPN SUBNET
object-group network NET-CHR-VPN
network-object 172.31.6.0 255.255.255.0

--NETWORKS ALLOWED ACROSS VPN
access-list acl-chr-vpn extended permit ip object-group NET-CORP-VPN object-group NET-CHR-VPN

--NAT EXEMPTION STATEMENT FOR VPN
nat (inside,any) source static NET-CORP-VPN NET-CORP-VPN destination static NET-CHR-VPN NET-CHR-VPN no-proxy-arp route-lookup

--CRYPTO MAP
crypto map outside_map 50 match address acl-chr-vpn
crypto map outside_map 50 set peer 166.251.73.50
crypto map outside_map 50 set ikev1 transform-set ESP-AES-192-SHA

--TUNNEL GROUP AND PRE-SHARED KEY
tunnel-group 166.251.X.X type ipsec-l2l
tunnel-group 166.251.X.X general-attributes
default-group-policy L2L
tunnel-group 166.251.X.X ipsec-attributes
ikev1 pre-shared-key MTEMCSUB


Daren Hickman
Manager, Field Application Consultants

Siemens Industry, Inc.
Industry Automation
Sensors and Communication

1911 Harrison Street
Hollywood, FL 33020
Toll Free: (877) 245-1750 X101
T: (954) 922-7938 X101
F: (954) 922-7984
M: (954) 805-4948

E: daren.hickman at siemens.com<mailto:jeffrey.lewin at siemens.com>
W: usa.siemens.com

Important notice: This e-mail and any attachment thereof contain corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system. Thank you.



This message and any attachments are solely for the use of intended recipients. The information contained herein may include trade secrets, protected health or personal information, privileged or otherwise confidential information. Unauthorized review, forwarding, printing, copying, distributing, or using such information is strictly prohibited and may be unlawful. If you are not an intended recipient, you are hereby notified that you received this email in error, and that any review, dissemination, distribution or copying of this email and any attachment is strictly prohibited. If you have received this email in error, please contact the sender and delete the message and any attachment from your system. Thank you for your cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140116/18b01e56/attachment-0001.html>

More information about the Users mailing list