[Openswan Users] Help connect Openswan on centos to Cisco ASA 5520

Nick Howitt nick at howitts.co.uk
Wed Feb 11 06:08:18 EST 2015 

Is the Cisco really running with DES and not 3DES? If so, I believe DES 
has been blocked in Openswan as it is too insecure. You can try changing 
your ike and esp parameters in your conn, but I don't think it will 
work.

Nick

On 2015-02-11 09:28, Afzal Khan wrote:
> Hi
> 
> I am trying to connect to a cisco ASA 5520 at a client location. My
> server runs centos with openswan
> 
> The config provided by the client is:
> 
> Phase 1 Properties:
> Authentication Method* Pre-Shared Secret
> Encryption Scheme IKE
> perfect fwd secrecy – IKE DH GROUP2
> Encryption Algorithm – IKE DES
> Hashing Algorithm – IKE SHA
> Renegotiate IKE SA time 86400 seconds
> 
> Phase 2 Properties:
> Transform-set (IPSEC Protocol) ESP
> Perfect Fwd Secrecy - IPSEC DH GROUP2
> Encryption Algorithm - IPSEC ESP-DES
> Hashing Algorithm - IPSEC ESP-SHA-HMAC
> Renegotiate IPSEC SA time 86400 seconds
> 
> My config:
> 
> conn xyz
>         type=tunnel
>         authby=secret
>         auth=esp
>         ikelifetime=86400s
>         keylife=86400s
>         esp=3des-sha1
>         ike=3des-sha1-modp1024
>         keyexchange=ike
>         pfs=yes
> #local - centos
>         left=198.xxx.xxx.192
>         leftsourceip=192.168.21.101
> #remote - cisco
>         right=121.xxx.xxx.244
>         rightsubnet=172.19.16.0/24 [1]
> 
>         auto=start
> 
> /var/log/messages:
> 
> Feb 11 14:28:37 host ipsec__plutorun: 002 added connection description
> "xyz"
> Feb 11 14:28:37 host ipsec__plutorun: 104 "xyz" #1: STATE_MAIN_I1:
> initiate
> 
> /var/log/secure:
> 
> Feb 11 14:28:37 host pluto[26936]: added connection description "xyz"
> Feb 11 14:28:37 host pluto[26936]: loading secrets from
> "/etc/ipsec.d/xyz.secrets"
> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: initiating Main Mode
> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: ignoring informational
> payload, type NO_PROPOSAL_CHOSEN msgid=00000000
> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: received and ignored
> informational message
> 
> iptables -L:
> 
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> state RELATED,ESTABLISHED
> ...
> ACCEPT     all  --  127.0.0.1            0.0.0.0/0 [2]
> icmp_packets  icmp --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> 
> ACCEPT     esp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> udp dpt:500
> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> udp dpt:4500
> DROP       all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> state RELATED,ESTABLISHED
> ...
> ACCEPT     all  --  0.0.0.0/0 [2]            127.0.0.1
> icmp_packets  icmp --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> 
> ACCEPT     esp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> udp dpt:500
> ACCEPT     udp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> udp dpt:4500
> ...
> ACCEPT     tcp  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> tcp dpt:444
> LOG_DROP   all  --  0.0.0.0/0 [2]            0.0.0.0/0 [2]
> 
> What am i doing wrong here?
> 
> Please help me with this
> 
> Thank You
> 
> Links:
> ------
> [1] http://172.19.16.0/24
> [2] http://0.0.0.0/0
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list