[Openswan Users] OpenSwan and Cisco ASA?

Patrick Naubert patrickn at xelerance.com
Tue Oct 13 10:01:13 EDT 2015

Rescued from the Spam bucket.  Please remeber to subscribe to the mailing list before posting to it.

From: David Jones <david at proficienthealth.com>
Date: October 12, 2015 at 1:53:53 PM EDT
To: users at lists.openswan.org
Subject: OpenSwan and Cisco ASA?


I am running OpenSwan and have many clients connecting to us that use Cisco ASA's to establish IPSec tunnels.  We use the same IP address for our gateway as we do an internal machine that the customers need to access.  We just forward the port but require an IPSec.  This confuses our Cisco ASA friends for some reason and we occasionally have a client that can't figure out how to get the tunnel to route properly.  I don't know cisco well and can really help them.

Here us a sample of the config..

-A PREROUTING -d <> -p tcp -m tcp --dport 34006 -j DNAT --to-destination <>

-A FORWARD -d <> -p tcp -m policy --dir in --pol ipsec -m state --state NEW -m tcp --dport 6665 -j ACCEPT

The tunnel is up but packets are not making it through.

000 "conn10": <><>---<>=== <>; erouted; eroute owner: #305
000 "conn10":     myip=; hisip=unset;
000 "conn10":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
000 "conn10":   policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth1; 
000 "conn10":   newest ISAKMP SA: #696; newest IPsec SA: #305; 
000 "conn10":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 #696: "conn10":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3191s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #305: "conn10":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 9850s; newest IPSEC; eroute owner; isakmp#300; idle; import:not set
000 #305: "conn10" esp.a13d0d4 at <mailto:esp.a13d0d4 at>
esp.4ac15492 at <mailto:esp.4ac15492 at> tun.0 at <mailto:tun.0 at> tun.0 at <mailto:tun.0 at> ref=0 refhim=4294901761

Can anyone offer me any suggestions for the Cisco people, maybe a special checkbox or some term I can offer them to spark an idea?

I have been working with the same client for months and just keep going back and fourth with never a positive result.



Confidential Notice: This email, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure or dissemination to third parties without authorization from the sender is prohibited and may be punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151013/34666b46/attachment.html>

More information about the Users mailing list