Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

vpn betwenn linux openswan and cisco ios

hi ,

is it possible to make this between a linux box and a cisco 3660 12.4k,

i found a lot of tutos with pix and asa but not with ios.

my problem is on phase 1 main mode exchange :


debug crypto isakmp

*Mar  1 02:49:32.075: ISAKMP: received ke message (1/1)
*Mar  1 02:49:32.075: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 02:49:32.079: ISAKMP: Created a peer struct for 10.0.0.1, peer port 500
*Mar  1 02:49:32.079: ISAKMP: New peer created peer = 0x655DC1D0 peer_handle = 0x80000011
*Mar  1 02:49:32.079: ISAKMP: Locking peer struct 0x655DC1D0, IKE refcount 1 for isakmp_initiator
*Mar  1 02:49:32.079: ISAKMP: local port 500, remote port 500
*Mar  1 02:49:32.079: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 02:49:32.083: insert sa successfully sa = 64D8F30C
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0):found peer pre-shared key matching 10.0.0.1
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0):Old State = IKE_READY  New State = IKE_I_MM1
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0): beginning Main Mode exchange
*Mar  1 02:49:32.083: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:49:42.083: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 02:49:42.083: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 02:49:42.083: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 02:49:42.087: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:49:52.087: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 02:49:52.087: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Mar  1 02:49:52.087: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 02:49:52.091: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:50:02.075: ISAKMP: received ke message (1/1)
*Mar  1 02:50:02.075: ISAKMP: set new node 0 to QM_IDLE
*Mar  1 02:50:02.079: ISAKMP:(0:0:N/A:0):SA is still budding. Attached new ipsec request to it. (local 10.0.0.2, remote 10.0.0.1)
*Mar  1 02:50:02.091: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 02:50:02.091: ISAKMP (0:0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Mar  1 02:50:02.091: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 02:50:02.091: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:50:12.091: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 02:50:12.091: ISAKMP (0:0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Mar  1 02:50:12.091: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 02:50:12.095: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:50:22.095: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE...
*Mar  1 02:50:22.095: ISAKMP (0:0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Mar  1 02:50:22.095: ISAKMP:(0:0:N/A:0): retransmitting phase 1 MM_NO_STATE
*Mar  1 02:50:22.099: ISAKMP:(0:0:N/A:0): sending packet to 10.0.0.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  1 02:50:32.075: ISAKMP: received ke message (3/1)
*Mar  1 02:50:32.075: ISAKMP:(0:0:N/A:0):peer does not do paranoid keepalives.
*Mar  1 02:50:32.075: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.0.0.1)
*Mar  1 02:50:32.083: ISAKMP:(0:0:N/A:0):deleting SA reason "P1 delete notify (in)" state (I) MM_NO_STATE (peer 10.0.0.1)
*Mar  1 02:50:32.083: ISAKMP: Unlocking IKE struct 0x655DC1D0 for isadb_mark_sa_deleted(), count 0
*Mar  1 02:50:32.083: ISAKMP: Deleting peer node by peer_reap for 10.0.0.1: 655DC1D0
*Mar  1 02:50:32.087: ISAKMP:(0:0:N/A:0):deleting node 753657359 error FALSE reason "IKE deleted"
*Mar  1 02:50:32.087: ISAKMP:(0:0:N/A:0):deleting node 426930719 error FALSE reason "IKE deleted"
*Mar  1 02:50:32.087: ISAKMP:(0:0:N/A:0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 02:50:32.087: ISAKMP:(0:0:N/A:0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

###################################
sh run on cisco 3660:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco address 10.0.0.1
!
!
crypto ipsec transform-set toto esp-des esp-md5-hmac
!
crypto map zz 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set toto
match address 100
######################################################
vi /etc/ipsec.conf on linux box:

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        #nat_traversal=yes
        #virtual_private=
        oe=off
        # Enable this if you see "failed to find any available worker"
        nhelpers=0
        protostack=netkey
conn net-to-net
         #
         # Simply use raw RSA keys
         # After starting openswan, run:
         # ipsec showhostkey --left (or --right)
         # and fill in the connection similarly
         # to the example below.
         # fedora12
         left=10.0.0.1
         # The remote user.
         #
         #cisco3660
         right=10.0.0.2
        authby=secret
         #type=tunnel
         auto=start
        esp=3des-md5
        keyexchange=ike
        pfs=no
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
#include /etc/ipsec.d/*.conf

thanx for your help,

2040
Views
0
Helpful
0
Replies
CreatePlease to create content