[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [suse-security] IPSec question (freeswan + cisco)



Hello,

I don't know much about openswan.
I use freeswan for a long time and now I use strongswan.
The Message you get may be because you have PFS (perfect forwars secret) enabled and 
The cisco-box not. --- OR ---
There is no Secret in the secret file (ipsec.secret in freeswan) --- OR ---
The configuration of the Subnets are not the same on your box to the cisco-box (this is my favourite Error ;-) )--- OR ---
The Subnet are already in use with an other tunnel on the cisco-box.

Hope this helps
Robert


-----Ursprüngliche Nachricht-----
Von: Aleksandar Ivanovski [mailto:dambo5@xxxxxxxxx] 
Gesendet: Freitag, 6. Mai 2005 14:19
An: Dana Hudes
Cc: suse-security@xxxxxxxx
Betreff: Re: [suse-security] IPSec question (freeswan + cisco)

OK I have |migrated to openswan

installed it successfully and here are the log messages that i get on my linux box:

May  6 12:23:42 encmail pluto[5947]: "mm" #1:
initiating Main Mode
May  6 12:23:42 encmail ipsec__plutorun: 104 "mm" #1:
STATE_MAIN_I1: initiate
May  6 12:23:42 encmail ipsec__plutorun: ...could not start conn "mm"
May  6 12:23:44 encmail pluto[5947]: "mm" #1:
transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
May  6 12:23:48 encmail pluto[5947]: "mm" #1: ignoring Vendor ID payload [01a3437e1d6102df5918a08c21f0ad33]
May  6 12:23:48 encmail pluto[5947]: "mm" #1: I did not send a certificate because I do not have one.
May  6 12:23:48 encmail pluto[5947]: "mm" #1:
transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
May  6 12:23:49 encmail pluto[5947]: "mm" #1: Peer ID is ID_IPV4_ADDR: '195.26.157.18'
May  6 12:23:49 encmail pluto[5947]: "mm" #1:
transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
May  6 12:23:49 encmail pluto[5947]: "mm" #1: ISAKMP SA established May  6 12:23:49 encmail pluto[5947]: "mm" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1} May  6 12:23:53 encmail pluto[5947]: "mm" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN May  6 12:23:53 encmail pluto[5947]: "mm" #1: received and ignored informational message May  6 12:24:59 encmail pluto[5947]: "mm" #2: max number of retransmissions (2) reached STATE_QUICK_I1. 
No acceptable response to our first Quick Mode messa
ge: perhaps peer likes no proposal


I am desperate and have no idea what to do next?

here is the cisco log on the other site:

2w1d: %CRYPTO-4-IKMP_NO_SA: IKE message from
82.214.208.99   has no SA (Security Associations) and
is not an initialization offer

looking forward to hear from you

aleks
--- Dana Hudes <dhudes@xxxxxxxxxxx> wrote:

> freeswan is no longer under active development or maintenance by its 
> developers, per the project home page.
> I suggest you find an alternative ipsec implementation...perhaps 
> openvpn will suit your needs.
> 
> 
> On Wed, 4 May 2005, Aleksandar Ivanovski wrote:
> 
> > Hi List,
> > 
> > I have installed freeswan on suse9.0 pro,
> > 2.4.21-99-default .
> > freeswan-1.99_0.9.34-27
> > freeswan.ca says that 2.4.2x+ works OK with
> > freeswan1.99
> > 
> > The remote site uses cisco IPSec. Since I am very
> new
> > to IPSec issues, sorry for the stupid questions
> below
> > sad.gif
> > The other site gave me these infos:
> > 
> > PHASE1 (ISAKMP):
> > encryption algorithm: 3DES
> > hash algorithm: Secure Hash Standard
> > authentication method: Pre-Shared Key
> > Diffie-Hellman group: #2 (1024 bit)
> > lifetime: 86400 seconds, no volume limit
> > 
> > PHASE2 (IPSEC):
> > encryption algorithm: 3DES
> > hash algorithm: Secure Hash Standard
> > Security association lifetime 4608000
> kilobytes/3600
> > seconds
> > No PFS
> > 
> > and that all we need to do is exchange the
> pre-shared
> > keys and IP addresses.
> > 
> > 
> > First question is wheather it is possible at all
> to
> > establish such a connection?
> > 
> > I have been reading a pdf Implementing
> site-to-site
> > ipsec between cisco router and freeswan and have
> done
> > all the steps
> > 
> > Iam attaching here the conf files and the logs:
> > 
> > config setup
> > # THIS SETTING MUST BE CORRECT or almost nothing
> will
> > work;
> > # %defaultroute is okay for most simple cases.
> > interfaces="ipsec0=eth0"
> > # Debug-logging controls: "none" for (almost)
> none,
> > "all" for lots.
> > klipsdebug=none
> > plutodebug=none
> > # Use auto= parameters in conn descriptions to
> control
> > startup actions.
> > plutoload=%search
> > plutostart=%search
> > # Close down old connection when new one using
> same ID
> > shows up.
> > uniqueids=yes
> > ......
> > 
> > conn freeswan-cisco
> > # Left security gateway, subnet behind it, next
> hop
> > toward right.
> > left=hidden IP address
> > leftsubnet=10.1.10.0/24 (my LAN)
> > leftnexthop= gateway that takes me to internet
> static
> > IP)
> > # Right security gateway, subnet behind it, next
> hop
> > toward left.
> > right= IP provided by the operator
> > rightsubnet=
> > rightnexthop=
> > # To authorize this connection, but not actually
> start
> > it, at startup,
> > # uncomment this.
> > auto=add
> > authby=secret
> > 
> > 
> > 
> > and add row at the end of ipsec.secrets:
> > theirIP myIP : PSK "shared-key that were sent to
> me by
> > the operator"
> > 
> > /var/log/messages:
> > 
> > Apr 29 14:57:14 linux pluto[4663]:
> "freeswan-cisco"
> > #1: initiating Main Mode
> > Apr 29 14:57:17 linux pluto[4663]:
> "freeswan-cisco"
> > #1: Can't authenticate: no preshared key found for
> > `10.1.10.176' and `195.26.157.18'. Attribute
> OAKLEY_A
> > UTHENTICATION_METHOD
> > Apr 29 14:57:17 linux pluto[4663]:
> "freeswan-cisco"
> > #1: no acceptable Oakley Transform
> > Apr 29 14:57:17 linux pluto[4663]:
> "freeswan-cisco"
> > #1: sending notification NO_PROPOSAL_CHOSEN to
> > 195.26.157.18:500
> > Apr 29 14:57:26 linux pluto[4663]:
> "freeswan-cisco"
> > #1: Can't authenticate: no preshared key found for
> > `10.1.10.176' and `195.26.157.18'. Attribute
> OAKLEY_A
> > UTHENTICATION_METHOD
> > 
> > 
> > Since I do not have where to read and where to
> search
> > for these error messages please drop few lines
> > anything, links, pdf's, whats the solution for
> errors
> > .....
> > 
> > 10x to you all
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> > http://mail.yahoo.com 
> > 
> > -- 
> > Check the headers for your unsubscription address
> > For additional commands, e-mail:
> suse-security-help@xxxxxxxx
> > Security-related bug reports go to
> security@xxxxxxx, not here
> > 
> > 
> 
> -- 
> Check the headers for your unsubscription address
> For additional commands, e-mail:
> suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx,
> not here
> 
> 



		
__________________________________ 
Yahoo! Mail Mobile 
Take Yahoo! Mail with you! Check email on your mobile phone. 
http://mobile.yahoo.com/learn/mail 

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here