[Openswan Users] eatablish Ipsec VPN from Cisco IOS to Openswan

MichaelLeung gbcbooksmj at gmail.com
Sun Feb 15 10:08:16 EST 2015 

Can anyone help me get out of the trouble

i try to establish a Ipsec vpn from Cisco ios and Linux openswan

here is the topology

______________
|Cisco IOS |------------(gateway:public address 
)--------------------(Centos openswan)
  |                   |                  public address:dynamic public 
address :8.8.8.8
192.168.1.253                                          private address : 
192.168.0.1/24 on the it virtual adapter


and my configuration file of Cisco IOS and openswan


CIsco :
--------------------------------------------Cisco----------------
crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key cisco address 8.8.8.8
!
crypto ipsec transform-set vps esp-3des esp-md5-hmac
!


!
crypto map vps 10 ipsec-isakmp
  set peer 8.8.8.8
  set security-association lifetime seconds 86400
  set transform-set vps
  set pfs group2
  match address vps

ip access-list extended vps
  permit gre host 192.168.1.253 host 8.8.8.8 #they are the source and 
destination address of GRE tunnel on Cisco IOS
---------------------------------------------------------------------




Openswan
-----------------------------------Openswan----------------------------
version 2.0

config setup
         #interfaces=%defaultroute
         protostack=netkey
         nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
         oe=off
         dumpdir=/var/run/pluto/
         plutostderrlog=/var/log/pluto.log
         nhelpers=0
         disable_port_floating=no

conn %default
         rekey=no

conn GRE
         authby=secret
         pfs=no
         auto=add
         type=tunnel
         keyexchange=ike
         ike=3des-md5
         phase2alg=3des-md5

         left=8.8.8.8
         leftprotoport=47/%any
         leftupdown="ipsec _updown --route yes"
         leftsubnet=192.168.0.1/32 ##actually , this is a address on 
Virtual network adapter of Centos

         right=%any
         rightprotoport=47/%any
         rightsubnet=192.168.1.253/32               #192.168.1.253 is 
the interface ip address of Cisco IOS, it is behind the WAN.

-------------------------------------------------------------------
[root at vultr ~]# cat /etc/ipsec.secrets
#
include /etc/ipsec.d/*.secrets
8.8.8.8 %any : PSK "cisco"

and the error ouput:
packet from 113.111.97.145:5609: received Vendor ID payload [RFC 3947] 
method set to=109
packet from 113.111.97.145:5609: ignoring unknown Vendor ID payload 
[439b59f8ba676c4c7737ae22eab8f582]
packet from 113.111.97.145:5609: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
packet from 113.111.97.145:5609: received Vendor ID payload 
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
"GRE"[1] 113.111.97.145 #83: responding to Main Mode from unknown peer 
113.111.97.145
"GRE"[1] 113.111.97.145 #83: transition from state STATE_MAIN_R0 to 
state STATE_MAIN_R1
"GRE"[1] 113.111.97.145 #83: STATE_MAIN_R1: sent MR1, expecting MI2

it just keeping a the 5/6 isakmp message .


i am so confusing why it stuck in the isakmp neigotiation.

i established successful before,  but i dont know what line i removed.

please get help
thanks


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150215/eddf45a9/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gbcbooksmj.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150215/eddf45a9/attachment.vcf>

More information about the Users mailing list