[Openswan Users] Help connect Openswan on centos to Cisco ASA 5520
Afzal Khan
khanafzal at gmail.com
Thu Feb 12 08:51:37 EST 2015
Thank You Nick
The Cisco is running DES, I have requested them to use 3DES.
On Wed, Feb 11, 2015 at 4:38 PM, Nick Howitt <nick at howitts.co.uk> wrote:
> Is the Cisco really running with DES and not 3DES? If so, I believe DES
> has been blocked in Openswan as it is too insecure. You can try changing
> your ike and esp parameters in your conn, but I don't think it will work.
>
> Nick
>
>
> On 2015-02-11 09:28, Afzal Khan wrote:
>
>> Hi
>>
>> I am trying to connect to a cisco ASA 5520 at a client location. My
>> server runs centos with openswan
>>
>> The config provided by the client is:
>>
>> Phase 1 Properties:
>> Authentication Method* Pre-Shared Secret
>> Encryption Scheme IKE
>> perfect fwd secrecy – IKE DH GROUP2
>> Encryption Algorithm – IKE DES
>> Hashing Algorithm – IKE SHA
>> Renegotiate IKE SA time 86400 seconds
>>
>> Phase 2 Properties:
>> Transform-set (IPSEC Protocol) ESP
>> Perfect Fwd Secrecy - IPSEC DH GROUP2
>> Encryption Algorithm - IPSEC ESP-DES
>> Hashing Algorithm - IPSEC ESP-SHA-HMAC
>> Renegotiate IPSEC SA time 86400 seconds
>>
>> My config:
>>
>> conn xyz
>> type=tunnel
>> authby=secret
>> auth=esp
>> ikelifetime=86400s
>> keylife=86400s
>> esp=3des-sha1
>> ike=3des-sha1-modp1024
>> keyexchange=ike
>> pfs=yes
>> #local - centos
>> left=198.xxx.xxx.192
>> leftsourceip=192.168.21.101
>> #remote - cisco
>> right=121.xxx.xxx.244
>> rightsubnet=172.19.16.0/24 [1]
>>
>> auto=start
>>
>> /var/log/messages:
>>
>> Feb 11 14:28:37 host ipsec__plutorun: 002 added connection description
>> "xyz"
>> Feb 11 14:28:37 host ipsec__plutorun: 104 "xyz" #1: STATE_MAIN_I1:
>> initiate
>>
>> /var/log/secure:
>>
>> Feb 11 14:28:37 host pluto[26936]: added connection description "xyz"
>> Feb 11 14:28:37 host pluto[26936]: loading secrets from
>> "/etc/ipsec.d/xyz.secrets"
>> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: initiating Main Mode
>> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: ignoring informational
>> payload, type NO_PROPOSAL_CHOSEN msgid=00000000
>> Feb 11 14:28:37 host pluto[26936]: "xyz" #1: received and ignored
>> informational message
>>
>> iptables -L:
>>
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> state RELATED,ESTABLISHED
>> ...
>> ACCEPT all -- 127.0.0.1 0.0.0.0/0 [2]
>> icmp_packets icmp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>>
>> ACCEPT esp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> ACCEPT udp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> udp dpt:500
>> ACCEPT udp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> udp dpt:4500
>> DROP all -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> state RELATED,ESTABLISHED
>> ...
>> ACCEPT all -- 0.0.0.0/0 [2] 127.0.0.1
>> icmp_packets icmp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>>
>> ACCEPT esp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> ACCEPT udp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> udp dpt:500
>> ACCEPT udp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> udp dpt:4500
>> ...
>> ACCEPT tcp -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>> tcp dpt:444
>> LOG_DROP all -- 0.0.0.0/0 [2] 0.0.0.0/0 [2]
>>
>> What am i doing wrong here?
>>
>> Please help me with this
>>
>> Thank You
>>
>> Links:
>> ------
>> [1] http://172.19.16.0/24
>> [2] http://0.0.0.0/0
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150212/f19271c4/attachment.html>
More information about the Users
mailing list