[Openswan Users] Ipsec vpn host-to-host between openswan and Cisco device

Piotr Pawłowski piotr.pawlowski at goyello.com
Mon Jul 14 08:51:52 EDT 2014


Indeed... Typo in networks (facepalm)... That's the result of debugging
too long. Thanks for the tip.
Now VPN is established, however there is no possibility to reach any end
(from openswan I am not able to reach 10.0.0.2/32 and from Cisco I
cannot reach 10.0.100.1).
Route on openswan side is added by the software. Route on Cisco side
looks like this:
ip route 10.0.100.1 255.255.255.255 $ciscoPublicIP

Any kind of tip will be helpful.

Regards
Piotr


Dnia 2014-07-14, pon o godzinie 09:02 +0100, Nick Howitt pisze:
> I don't know if your configs are edited, but you must not have any blank 
> lines in a conn. A blank line signifies the end of a conn. It probably 
> also applies to config setup. If you want, you can use an indented # 
> rather than a totally blank line.
> 
> I can't read Cisco configs but it also seems that your left/rightsubnets 
> don't match your access-list. Is this correct or do you specify subnets 
> elsewhere in the Cisco config?
> 
> Nick
> 
> On 2014-07-14 08:36, Piotr Pawłowski wrote:
> > Dear all,
> > 
> > From two weeks I am trying to setup ipsec vpn connection between two
> > hosts. One of them is openswan on linux, other is Cisco device. Without
> > luck.
> > Openswan configuration below:
> > 
> > config setup
> >         interfaces=%defaultroute
> >         plutodebug=none
> >         klipsdebug=none
> >         plutoopts="--perpeerlog"
> > 
> >         nat_traversal=yes
> >         virtual_private=%v4:10.0.100.1/32,%v4:10.0.0.2/32
> >         oe=off
> >         protostack=netkey
> >         plutostderrlog=/var/log/pluto.log
> > conn testConnection
> >         auto=start
> >         type=tunnel
> >         aggrmode=no
> > 
> >         left=$openswanPublicIP
> >         leftsubnet=10.0.100.1/32
> >         leftsourceip=10.0.100.1
> > 
> >         right=$ciscoPublicIP
> >         rightsubnet=10.0.0.2/32
> > 
> >         keyexchange=ike
> >         ike=3des-md5-modp1024
> > 
> >         authby=secret
> > 
> >         phase2=esp
> >         phase2alg=3des-md5
> >         pfs=yes
> > 
> > 
> > Cisco configuration:
> > 
> > crypto isakmp policy 1
> >  encr 3des
> >  hash md5
> >  authentication pre-share
> >  group 2
> >  lifetime 28800
> > crypto isakmp key TestKey address $openswanPublicIP
> > crypto ipsec transform-set OPENSWAN esp-3des esp-md5-hmac
> >  mode tunnel
> > crypto map openswan-map 1 ipsec-isakmp
> >  set peer $openswanPublicIP
> >  set transform-set OPENSWAN
> >  match address 190
> > access-list 190 permit ip 10.0.0.0 0.0.1.255 10.0.100.0 0.0.0.255
> > 
> > 
> > 
> > IMHO everything looks fine. Openswan thinks different. Below output 
> > from
> > pluto.log.
> > 
> > Plutorun started on Mon Jul 14 07:01:57 UTC 2014
> > adjusting ipsec.d to /etc/ipsec.d
> > Starting Pluto (Openswan Version 2.6.28; Vendor ID OEQ{O\177nez{CQ)
> > pid:23920
> > SAref support [disabled]: Protocol not available
> > SAbind support [disabled]: Protocol not available
> > Setting NAT-Traversal port-4500 floating to on
> >    port floating activation criteria nat_t=1/port_float=1
> >    NAT-Traversal support  [enabled]
> > using /dev/urandom as source of random entropy
> > ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
> > ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
> > ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
> > ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
> > ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
> > ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
> > ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
> > starting up 1 cryptographic helpers
> > started helper pid=23924 (fd:4)
> > Using Linux 2.6 IPsec interface code on 2.6.32-5-amd64 (experimental
> > code)
> > using /dev/urandom as source of random entropy
> > ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
> > ike_alg_add(): ERROR: Algorithm already exists
> > ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
> > ike_alg_add(): ERROR: Algorithm already exists
> > ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
> > ike_alg_add(): ERROR: Algorithm already exists
> > ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
> > ike_alg_add(): ERROR: Algorithm already exists
> > ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
> > ike_alg_add(): ERROR: Algorithm already exists
> > ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
> > Changed path to directory '/etc/ipsec.d/cacerts'
> > Changed path to directory '/etc/ipsec.d/aacerts'
> > Changed path to directory '/etc/ipsec.d/ocspcerts'
> > Changing to directory '/etc/ipsec.d/crls'
> >   Warning: empty directory
> > added connection description "testConnection"
> > listening for IKE messages
> > NAT-Traversal: Trying new style NAT-T
> > NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4
> > (errno=19)
> > NAT-Traversal: Trying old style NAT-T
> > adding interface eth0/eth0 $openswanPublicIP:500
> > adding interface eth0/eth0 $openswanPublicIP:4500
> > adding interface lo:1/lo:1 10.0.100.1:500
> > adding interface lo:1/lo:1 10.0.100.1:4500
> > adding interface lo/lo 127.0.0.1:500
> > adding interface lo/lo 127.0.0.1:4500
> > adding interface lo/lo ::1:500
> > loading secrets from "/etc/ipsec.secrets"
> > loading secrets from "/var/lib/openswan/ipsec.secrets.inc"
> > "testConnection" #1: initiating Main Mode
> > "testConnection" #1: received Vendor ID payload [RFC 3947] method set
> > to=109
> > "testConnection" #1: enabling possible NAT-traversal with method 4
> > "testConnection" #1: transition from state STATE_MAIN_I1 to state
> > STATE_MAIN_I2
> > "testConnection" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> > "testConnection" #1: received Vendor ID payload [Cisco-Unity]
> > "testConnection" #1: received Vendor ID payload [Dead Peer Detection]
> > "testConnection" #1: ignoring unknown Vendor ID payload
> > [9df211f6d27b7ea9251edca1d227fdd5]
> > "testConnection" #1: received Vendor ID payload [XAUTH]
> > "testConnection" #1: NAT-Traversal: Result using RFC 3947
> > (NAT-Traversal): no NAT detected
> > "testConnection" #1: transition from state STATE_MAIN_I2 to state
> > STATE_MAIN_I3
> > "testConnection" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> > "testConnection" #1: Main mode peer ID is ID_IPV4_ADDR: 
> > '$ciscoPublicIP'
> > "testConnection" #1: transition from state STATE_MAIN_I3 to state
> > STATE_MAIN_I4
> > "testConnection" #1: STATE_MAIN_I4: ISAKMP SA established
> > {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> > group=modp1024}
> > "testConnection" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
> > +IKEv2ALLOW {using isakmp#1 msgid:b73ac6a6
> > proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
> > "testConnection" #1: ignoring informational payload, type
> > NO_PROPOSAL_CHOSEN msgid=00000000
> > "testConnection" #1: received and ignored informational message
> > :testConnection" #2: max number of retransmissions (2) reached
> > STATE_QUICK_I1.  No acceptable response to our first Quick Mode 
> > message:
> > perhaps peer likes no proposal
> > 
> > I also tried with 'transform-set esp-aes 256 esp-sha-hmac' on Cisco 
> > side
> > and keyexchange=ike , ike=3des-md5-modp1024 , phase2=esp ,
> > phase2alg=3des-md5;modp1024 on openswan side. Also with same error as
> > shown in pluto.log .
> > 
> > Can anybody point the area, where I am doing something wrong?
> > Thank you in advance.
> > 
> > Regards
> > Piotr
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list