cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3000
Views
0
Helpful
2
Replies

Cisco ASA 5505 and Linux openswan site2site

rpiccirillo
Level 1
Level 1

Hi, I'm trying to configure a vpn site2site between cisco 5505 and openswan. It seems that the configurations are ok but after the phase 2 succeeded the tunnel goes down... Here is the debug log. Any suggests will be appreciated!

Aug 11 11:58:26 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, PHASE 1 COMPLETED

Aug 11 11:58:26 [IKEv1]: IP = 192.168.0.67, Keep-alive type for this connection: DPD

Aug 11 11:58:26 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Starting P1 rekey timer: 2700 seconds.

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.132.0, Mask 255.255.255.0, Protocol 0, Port 0

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Received local IP Proxy Subnet data in ID Payload: Address 192.168.70.0, Mask 255.255.255.0, Protocol 0, Port 0

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, QM IsRekeyed old sa not found by addr

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Static Crypto Map check, checking map = IPsec_map, seq = 1...

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Static Crypto Map check, map IPsec_map, seq = 1 is a successful match

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE Remote Peer configured for crypto map: IPsec_map

Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, processing IPSec SA payload

Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, IPSec SA Proposal # 0, Transform # 0 acceptable Matches global IPSec SA entry # 1

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE: requesting SPI!

Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Transmitting Proxy Id:

Remote subnet: 192.168.132.0 Mask 255.255.255.0 Protocol 0 Port 0

Local subnet: 192.168.70.0 mask 255.255.255.0 Protocol 0 Port 0

Aug 11 11:58:37 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Security negotiation complete for LAN-to-LAN Group (192.168.0.67) Responder, Inbound SPI = 0xa4313201, Outbound SPI = 0x71309508

Aug 11 11:58:37 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Starting P2 rekey timer: 27355 seconds.

Aug 11 11:58:37 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, PHASE 2 COMPLETED (msgid=f63e5a21)

Aug 11 11:58:43 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

Aug 11 11:58:43 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, IKE Deleting SA: Remote Proxy 192.168.132.0, Local Proxy 192.168.70.0

Aug 11 11:58:43 [IKEv1]: Ignoring msg to mark SA with dsID 208896 dead because SA deleted

Aug 11 11:58:45 [IKEv1]: IP = 192.168.0.67, Received encrypted packet with no matching SA, dropping

Aug 11 11:58:50 [IKEv1]: IP = 192.168.0.67, Received encrypted packet with no matching SA, dropping

2 Replies 2

slmansfield
Level 4
Level 4

It looks like the ASA is dropping the connection because it is not getting a "Dead Peer Detection" (DPD) response from the Linux box. My feeling is that the Linux box simply does not use DPD.

I would try disabling DPD on the ASA. The following URL has been very helpful to me in diagnosing VPN problems. I hope it is of help to you.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Thanks a lot for the useful link, I'll try that way.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: