Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > IOS + OpenSWAN Phase2 problems

Reply
Thread Tools

IOS + OpenSWAN Phase2 problems

 
 
whitemice
Guest
Posts: n/a
 
      01-30-2009
I have a Cisco 2600 (12.3) at one facility and I need to create an
IPSec tunnel to the main facility via the Internet. The main facility
has an OpenSWAN server for IPSec connectivity. Phase 1 completes but
the only way I can get Phase2 to complete is with an ACL like "permit
ip any any" attached to the crypto map. Clearly that breaks
everything.

ip cef
no ip domain lookup
ip audit po max-events 100
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp key *********** address {REMOTEPUBLICIP}
crypto isakmp keepalive 10
crypto isakmp peer address {REMOTEIP}
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
crypto ipsec profile VPN
set transform-set vpn
!
crypto map VPN 1 ipsec-isakmp
description USD-TO-GRD
set peer {REMOTEPUBLICIP}
set transform-set vpn
set pfs group2
match address 102
!
interface Ethernet0/0
ip address {LOCALPUBLICIP} 255.255.255.224
full-duplex
crypto map VPN
!
interface Ethernet0/1
ip address 192.168.24.19 255.255.255.0
full-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 {PUBLICGATEWAY)
access-list 102 permit ip any any

Otherwise Phase 2 fails with:
....
00:49:34: ISAKMP: transform 0, ESP_3DES
00:49:34: ISAKMP: attributes in transform:
00:49:34: ISAKMP: encaps is 1 (Tunnel)
00:49:34: ISAKMP: SA life type in seconds
00:49:34: ISAKMP: SA life duration (basic) of 28800
00:49:34: ISAKMP: authenticator is HMAC-MD5
00:49:34: ISAKMP (0:6): atts are acceptable.
00:49:34: ISAKMP (0:6): IPSec policy invalidated proposal
00:49:34: ISAKMP (0:6): phase 2 SA policy not acceptable! (local
216.120.174.238 remote 216.120.174.237)
00:49:34: ISAKMP: set new node -1915994121 to QM_IDLE
00:49:34: ISAKMP (0:6): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2197085600, message ID = -1915994121
....

Once the tunnel comes up with the any/any ACL rule "show crypto ipsec
sa" looks like:

interface: Ethernet0/0
Crypto map tag: VPN, local addr. X.X.X.X
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: 216.120.174.237:500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 195, #recv errors 0
local crypto endpt.: X.X.X.X remote crypto endpt.: Y.Y.Y.Y
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
<<<<<<<<<<<<<<<
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
<<<<<<<<<<<<
current_peer: Y.Y.Y.Y:500
PERMIT, flags={}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: EC1E6E98
inbound esp sas:
spi: 0xE73EA0FB(3879641339)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4455016/2996)
IV size: 8 bytes
replay detection support: Y

I don't understand why the local ident is 192.0.0.0 in
....
local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
....

Can that be related to why no reasonable ACL rules work?
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Failing Phase2 Auth - IPSec - All IPSec SA proposals foundunacceptable scooter133@gmail.com Cisco 1 11-27-2008 02:50 AM
instructions on how to perform an IOS upgrade on a Catalyst 6500 switch (IOS to IOS) Mike Rahl Cisco 1 05-30-2007 05:22 PM
Replace a non IOS 350 Cisco Aironet bridge with IOS Mr Corbett Cisco 5 08-19-2005 09:40 PM
"ip addr dhcp" is not available for my IOS release, who has latest IOS for 2514 and 2509? Ed Kideys, Tech-Train Cisco 3 04-30-2004 07:51 PM
IOS to IOS VPN Problem Evan Mann Cisco 0 02-11-2004 04:42 PM



Advertisments