Re: [Users] Freeswan - Cisco

From: greg (greg_at_diverdown.cc)
Date: Tue Jan 14 2003 - 20:12:15 CET

• Next message: psnizek_at_belfin.ch: "RE: [Users] pinging from freeswan box"
• Previous message: Sean McAvoy: "[Users] Freeswan 1.99 to Cisco 3620"
• In reply to: claudio_at_profiletecnologia.com.br: "[Users] Freeswan - Cisco"
• Next in thread: Sam Sgro: "Re: [Users] pinging from freeswan box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Here are some config's for cisco to freeswan that I have used.....what kind
of cisco device are you connecting too. I have had no problems putting 3des
on cisco that way you dont have to use the single des patch for freeswan.

http://www.diverdown.cc/vpn

Greg

> Hi,
>
> I´l try to setup a vpn with an freeswan peer and a cisco
> router peer.
> We use Freeswan + des patch, because cisco only accept
> this.
>
> We have some problem and these are freeswan and cisco
> logs.
> Please, any help is apreciate.
>
> Regards,
> Cláuudio.
>
> Freeswan log
> --------------------
> Jan 13 15:09:11 iserver ipsec__plutorun: Starting Pluto
> subsystem...
> Jan 13 15:09:11 iserver Pluto[21036]: Starting Pluto
> (FreeS/WAN Version 1.95)
> Jan 13 15:09:11 iserver Pluto[21036]: added connection
> description "ifsvpn"
> Jan 13 15:09:11 iserver Pluto[21036]: listening for IKE
> messages
> Jan 13 15:09:11 iserver Pluto[21036]: adding interface
> ipsec0/eth1 200.223.26.155
> Jan 13 15:09:11 iserver Pluto[21036]: loading secrets from
> "/etc/ipsec.secrets"
> Jan 13 15:09:35 iserver Pluto[21036]: "ifsvpn" #1:
> initiating Main Mode
> Jan 13 15:09:37 iserver Pluto[21036]: "ifsvpn" #1:
> ignoring Vendor ID payload
> Jan 13 15:09:37 iserver Pluto[21036]: "ifsvpn" #1:
> encrypted Informational Exchange message is invalid
> because it is for incomplete ISAKMP SA
> Jan 13 15:10:47 iserver Pluto[21036]: "ifsvpn" #1: max
> number of retransmissions (2) reached STATE_MAIN_I3.
> Possible authentication failure: no acceptable response
> to our first encrypted message
> Jan 13 15:10:47 iserver Pluto[21036]: "ifsvpn" #1:
> starting keying attempt 2 of an unlimited number, but
> releasing whack
> Jan 13 15:10:47 iserver Pluto[21036]: "ifsvpn" #2:
> initiating Main Mode to replace #1
> Jan 13 15:10:48 iserver Pluto[21036]: "ifsvpn" #2:
> ignoring Vendor ID payload
> Jan 13 15:10:49 iserver Pluto[21036]: "ifsvpn" #2:
> encrypted Informational Exchange message is invalid
> because it is for incomplete ISAKMP SA
>
> Cisco log
> ----------------
> 7w4d: ISAKMP (0:30): beginning Main Mode exchange
> 7w4d: ISAKMP (30): sending packet to 200.223.26.155 (I)
> MM_NO_STATE
> 7w4d: ISAKMP (30): received packet from 200.223.26.155 (I)
> MM_NO_STATE
> 7w4d: ISAKMP (0:30): processing SA payload. message ID = 0
> 7w4d: ISAKMP (0:30): Checking ISAKMP transform 1 against
> priority 1 policy
> 7w4d: ISAKMP: encryption DES-CBC
> 7w4d: ISAKMP: hash SHA
> 7w4d: ISAKMP: default group 2
> 7w4d: ISAKMP: auth pre-share
> 7w4d: ISAKMP (0:30): atts are acceptable. Next payload is
> 0
> 7w4d: CryptoEngine0: generate alg parameter
> 7w4d: CRYPTO_ENGINE: Dh phase 1 status: 0
> 7w4d: CRYPTO_ENGINE: Dh phase 1 status: 0
> 7w4d: ISAKMP (0:30): SA is doing pre-shared key
> authentication
> 7w4d: ISAKMP (30): SA is doing pre-shared key
> authentication using id type
> ID_IP
> V4_ADDR
> 7w4d: ISAKMP (30): sending packet to 200.223.26.155 (I)
> MM_SA_SETUP
> 7w4d: ISAKMP (30): received packet from 200.223.26.155 (I)
> MM_SA_SETUP
> 7w4d: ISAKMP (0:30): processing KE payload. message ID = 0
> 7w4d: CryptoEngine0: generate alg parameter
> 7w4d: ISAKMP (0:30): processing NONCE payload. message ID
> = 0
> 7w4d: CryptoEngine0: create ISAKMP SKEYID for conn id 30
> 7w4d: ISAKMP (0:30): SKEYID state generated
> 7w4d: ISAKMP (30): ID payload
> next-payload : 8
> type : 1
> protocol : 17
> port : 500
> length : 8
> 7w4d: ISAKMP (30): Total payload length: 12
> 7w4d: CryptoEngine0: generate hmac context for conn id 30
> 7w4d: ISAKMP (30): sending packet to 200.223.26.155 (I)
> MM_KEY_EXCH
> 7w4d: ISAKMP (30): received packet from 200.223.26.155 (I)
> MM_KEY_EXCH
> 7w4d: ISAKMP (0:30): phase 1 packet is a duplicate of a
> previous packet.
> 7w4d: ISAKMP (0:30): retransmitting due to retransmit
> phase 1
> 7w4d: ISAKMP (0:30): time remaining never
> 7w4d: ISAKMP (0:30): current time 00:00:00
> 7w4d: ISAKMP (0:30): retransmitting phase 1...
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users

Greg Robinson
San Antonio, TX
AIM: cciggsr
Never fake the funk!
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: psnizek_at_belfin.ch: "RE: [Users] pinging from freeswan box"
• Previous message: Sean McAvoy: "[Users] Freeswan 1.99 to Cisco 3620"
• In reply to: claudio_at_profiletecnologia.com.br: "[Users] Freeswan - Cisco"
• Next in thread: Sam Sgro: "Re: [Users] pinging from freeswan box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:40 CET