[GRLUG] IPSec & CentOS

Adam Tauno Williams awilliam at whitemice.org
Fri Jan 30 16:40:31 EST 2009


On Fri, 2009-01-30 at 15:49 -0500, Godwin wrote:
> Adam,
> 
> Do you have pfs=yes on openswan (does it look like my sample) and are
> you initiating from there or is it the responder?  Googling "openswan
> cisco pfs" I found a guy with similar problem.  He said changing the
> Cisco to use DH group 2 solved it.  What are you using?

If "group 2" isn't specified it fails pretty quickly.  pfs=yes/no on the
OpenSWAN side doesn't seen to matter.

> This is the dumb approach, but often times when initially configuring
> a connection, I bounce openswan and dominoes mysteriously fall in
> place.  ;-)

If I changes the ACL on the Cisco router to "access-list 102 permit ip
any any" then on the OpenSWAN box I get "IPSec SA established tunnel
mode".  But with that rule both sides loose all connectivity.  So I
really suspect the first problem is something to do with that *@^*$&!^$
rule;  but I have *NO* idea at this point what the @&^*@&! it should be.

192.168.24.19/24(e0/1)[Router]X.X.X.X(e0/0)<-->Y.Y.Y.Y(eth0)[OpenSWAN]192.168.1.72/24(eth1)

What seems odd (with the any any rule) is 
-------------------
updgate#show crypto ipsec  sa

interface: Ethernet0/0
    Crypto map tag: VPN, local addr. X.X.X.X

   protected vrf: 
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer: 216.120.174.237:500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 195, #recv errors 0

     local crypto endpt.: X.X.X.X remote crypto endpt.: Y.Y.Y.Y
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0

     inbound esp sas:

     inbound ah sas:
          
     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: 
   local  ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: 216.120.174.237:500
     PERMIT, flags={}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: EC1E6E98
          
     inbound esp sas:
      spi: 0xE73EA0FB(3879641339)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4455016/2996)
        IV size: 8 bytes
        replay detection support: Y
-----------------

Why:
   local  ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
????  Why is local "192.0.0.0/192.0.0.0/0/0"?  Where does that come
from?



More information about the grlug mailing list