[GRLUG] IPSec & CentOS
Adam Tauno Williams
awilliam at whitemice.org
Fri Jan 30 16:40:31 EST 2009
On Fri, 2009-01-30 at 15:49 -0500, Godwin wrote:
> Adam,
>
> Do you have pfs=yes on openswan (does it look like my sample) and are
> you initiating from there or is it the responder? Googling "openswan
> cisco pfs" I found a guy with similar problem. He said changing the
> Cisco to use DH group 2 solved it. What are you using?
If "group 2" isn't specified it fails pretty quickly. pfs=yes/no on the
OpenSWAN side doesn't seen to matter.
> This is the dumb approach, but often times when initially configuring
> a connection, I bounce openswan and dominoes mysteriously fall in
> place. ;-)
If I changes the ACL on the Cisco router to "access-list 102 permit ip
any any" then on the OpenSWAN box I get "IPSec SA established tunnel
mode". But with that rule both sides loose all connectivity. So I
really suspect the first problem is something to do with that *@^*$&!^$
rule; but I have *NO* idea at this point what the @&^*@&! it should be.
192.168.24.19/24(e0/1)[Router]X.X.X.X(e0/0)<-->Y.Y.Y.Y(eth0)[OpenSWAN]192.168.1.72/24(eth1)
What seems odd (with the any any rule) is
-------------------
updgate#show crypto ipsec sa
interface: Ethernet0/0
Crypto map tag: VPN, local addr. X.X.X.X
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 216.120.174.237:500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 195, #recv errors 0
local crypto endpt.: X.X.X.X remote crypto endpt.: Y.Y.Y.Y
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 216.120.174.237:500
PERMIT, flags={}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: EC1E6E98
inbound esp sas:
spi: 0xE73EA0FB(3879641339)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4455016/2996)
IV size: 8 bytes
replay detection support: Y
-----------------
Why:
local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
???? Why is local "192.0.0.0/192.0.0.0/0/0"? Where does that come
from?
More information about the grlug
mailing list