IOS + OpenSWAN Phase2 problems

Discussion in 'Cisco' started by whitemice, Jan 30, 2009.

  1. whitemice

    whitemice Guest

    I have a Cisco 2600 (12.3) at one facility and I need to create an
    IPSec tunnel to the main facility via the Internet. The main facility
    has an OpenSWAN server for IPSec connectivity. Phase 1 completes but
    the only way I can get Phase2 to complete is with an ACL like "permit
    ip any any" attached to the crypto map. Clearly that breaks
    everything.

    ip cef
    no ip domain lookup
    ip audit po max-events 100
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    lifetime 28800
    !
    crypto isakmp key *********** address {REMOTEPUBLICIP}
    crypto isakmp keepalive 10
    crypto isakmp peer address {REMOTEIP}
    crypto ipsec transform-set vpn esp-3des esp-md5-hmac
    crypto ipsec profile VPN
    set transform-set vpn
    !
    crypto map VPN 1 ipsec-isakmp
    description USD-TO-GRD
    set peer {REMOTEPUBLICIP}
    set transform-set vpn
    set pfs group2
    match address 102
    !
    interface Ethernet0/0
    ip address {LOCALPUBLICIP} 255.255.255.224
    full-duplex
    crypto map VPN
    !
    interface Ethernet0/1
    ip address 192.168.24.19 255.255.255.0
    full-duplex
    !
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 {PUBLICGATEWAY)
    access-list 102 permit ip any any

    Otherwise Phase 2 fails with:
    ....
    00:49:34: ISAKMP: transform 0, ESP_3DES
    00:49:34: ISAKMP: attributes in transform:
    00:49:34: ISAKMP: encaps is 1 (Tunnel)
    00:49:34: ISAKMP: SA life type in seconds
    00:49:34: ISAKMP: SA life duration (basic) of 28800
    00:49:34: ISAKMP: authenticator is HMAC-MD5
    00:49:34: ISAKMP (0:6): atts are acceptable.
    00:49:34: ISAKMP (0:6): IPSec policy invalidated proposal
    00:49:34: ISAKMP (0:6): phase 2 SA policy not acceptable! (local
    216.120.174.238 remote 216.120.174.237)
    00:49:34: ISAKMP: set new node -1915994121 to QM_IDLE
    00:49:34: ISAKMP (0:6): Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
    spi 2197085600, message ID = -1915994121
    ....

    Once the tunnel comes up with the any/any ACL rule "show crypto ipsec
    sa" looks like:

    interface: Ethernet0/0
    Crypto map tag: VPN, local addr. X.X.X.X
    protected vrf:
    local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    current_peer: 216.120.174.237:500
    PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 195, #recv errors 0
    local crypto endpt.: X.X.X.X remote crypto endpt.: Y.Y.Y.Y
    path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
    current outbound spi: 0
    inbound esp sas:
    inbound ah sas:
    inbound pcp sas:
    outbound esp sas:
    outbound ah sas:
    outbound pcp sas:
    protected vrf:
    local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
    <<<<<<<<<<<<<<<
    remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
    <<<<<<<<<<<<
    current_peer: Y.Y.Y.Y:500
    PERMIT, flags={}
    #pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
    #pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
    local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y
    path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
    current outbound spi: EC1E6E98
    inbound esp sas:
    spi: 0xE73EA0FB(3879641339)
    transform: esp-3des esp-md5-hmac ,
    in use settings ={Tunnel, }
    slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN
    sa timing: remaining key lifetime (k/sec): (4455016/2996)
    IV size: 8 bytes
    replay detection support: Y

    I don't understand why the local ident is 192.0.0.0 in
    ....
    local ident (addr/mask/prot/port): (192.0.0.0/192.0.0.0/0/0)
    remote ident (addr/mask/prot/port):
    (192.168.1.0/255.255.255.0/0/0)
    ....

    Can that be related to why no reasonable ACL rules work?
     
    whitemice, Jan 30, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Evan Mann

    IOS to IOS VPN Problem

    Evan Mann, Feb 11, 2004, in forum: Cisco
    Replies:
    0
    Views:
    1,238
    Evan Mann
    Feb 11, 2004
  2. Ed Kideys, Tech-Train
    Replies:
    3
    Views:
    4,622
    Wence Van der Meersch
    Apr 30, 2004
  3. Mr Corbett
    Replies:
    5
    Views:
    3,194
    Aaron Leonard
    Aug 19, 2005
  4. Mike Rahl
    Replies:
    1
    Views:
    1,254
    Trendkill
    May 30, 2007
  5. Replies:
    1
    Views:
    6,192
    News Reader
    Nov 27, 2008
Loading...

Share This Page