[Openswan Users] Single interface / tunnel will not come up.

Bruce Markey bruce at secryption.com
Fri Jan 31 06:27:01 EST 2014

I'm hoping someone here can point me in the right direction. I'm trying 
to get an ipsec vpn up from a cisco 2811 to a hosted virtual server.  
Shouldn't be that tough from all that I've read. Here's the setup. 
Obviously external ip's have been changed for security purposes..

192.168.300/24------- INTERNET --
---->------------>------>------->---------------> being the only interface that is available on the VPS, and it's 
an external address.  This is my first guess as to where the problem is, 
but I haven't found a good example of how to deal with this.  The end 
goal here is to push all web, and various other traffic over the vpn.  
See config below.

NAT shouldn't be a problem since I have the cisco not natting the 
traffic that I want to flow through the tunnel. Right now it's just icmp 
traffic for testing.

     ip access-list extended NAT
     deny   icmp any

Finally there seems to be some discrepancy in encryption methods between 
cisco/openswan. I've tried just about every combination.

So far I can verify that it gets far enough to say the keys match.  Then 
I think it actually finishes the phase 1 tunnel but I'm not exactly 
sure.  Before I make any more changes I want to make sure I have the 
actual openswan config right since the network layout is a little odd.


Cisco 2811--
crypto isakmp policy 1
  encr aes 192
  authentication pre-share
  group 2
  lifetime 43200
crypto isakmp key ********** address
crypto ipsec transform-set IOFSET2 esp-aes 192 esp-sha-hmac
crypto map IOFVPN 1 ipsec-isakmp
  description VPN1
  set peer
  set transform-set IOFSET2
  match address 152

access-list 152 permit icmp any any


config setup

conn IOF
#               # Left security gateway, subnet behind it, nexthop 
toward right.
                 # Right security gateway, subnet behind it, nexthop 
toward left.
                 # To authorize this connection, but not actually start 
                 # at startup, uncomment this.

Watching the logs I'm to the point now where I'm getting this from the 
2d11h: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for 
local address
2d11h: ISAKMP:(0:2:SW:1): IPSec policy invalidated proposal
2d11h: ISAKMP:(0:2:SW:1): phase 2 SA policy not acceptable! (local remote

and this from openswan.
Jan 31 11:13:51 196-55-235-37 pluto[5376]: "IOF" #27: the peer proposed: ->
Jan 31 11:13:51 196-55-235-37 pluto[5376]: "IOF" #27: cannot respond to 
IPsec SA request because no connection is known for<>:1/0...<>:1/0===
Jan 31 11:13:51 pluto[5376]: "IOF" #27: sending encrypted 

I understand the why, the acl doesn't match on both sides but I'm not 
sure how to get around this with the openswan only having a single nic.

I've tried a few different things but it fails.  I'm half wondering if 
it's not the easies to add a sub interface on the openswan side just so 
it has a second network to make it happy although I'd prefer not to.

I'm open to suggestions.

Thank you
Bruce Markey

Encrypt everything.
Public key: https://www.secryption.com/BruceMarkey.asc

I believe that any violation of privacy is nothing good.
Lech Walesa

More information about the Users mailing list