[Openswan Users] Connecting to Cisco VPN, getting INVALID_ID_INFORMATION followed by "perhaps peer likes no proposal"

Nick Howitt nick at howitts.co.uk
Wed Mar 19 13:35:32 EDT 2014


I know nothing about Cisco kit, but I've seen specifying a phase 2 modp
mess things up. I'd try changing phase2alg=aes128-sha1;modp1024 to just
phase2alg=aes128-sha1 but leave in pfs=yes. Having said that, if you set
pfs=no, then if the Cisco proposes yes Openswan will negotiate yes


On 2014-03-19 17:18, Mike Johnston wrote: 

> I'm not too well versed on this stuff, but I have a few thoughts for you:
> * Make sure your secrets match.
> * Make sure the IP addresses in your secrets file are accurate.
> * Try doing some debugging on the ASA. 
> * debug crypto isakmp 200 or even debug crypto isakmp 255
> * debug crypto ipsec
> * I never could get pfs to work between Openswan and a Cisco firewall. Try temporarily turning off pfs on both ends and see if you get any better luck.
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]

[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140319/3e0b8ac0/attachment.html>

More information about the Users mailing list