Hello! [I'm replacing the first two octets for local IP addresses with AAA.AAA throughout, here. I'm also replacing the first two octets for remote addresses with BBB.BBB.]
I'm working from a Linux 2.4.21-rc1-ac4 machine, running Linux FreeS/WAN 2.00. I'm trying to set up an IPSec connection via a Cisco PIX machine, which is using the following relevant configuration; isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash md5 isakmp policy 50 group 1 isakmp policy 50 lifetime 86400 access-list acl_aidan permit ip host BBB.BBB.64.29 host AAA.AAA.217.99 access-list acl_aidan permit ip host BBB.BBB.64.29 host AAA.AAA.217.101 access-list acl_aidan permit ip host BBB.BBB.64.30 host AAA.AAA.217.99 access-list acl_aidan permit ip host BBB.BBB.64.30 host AAA.AAA.217.101 crypto map cm_outside 250 ipsec-isakmp crypto map cm_outside 250 match address acl_aidan crypto map cm_outside 250 set peer AAA.AAA.217.99 crypto map cm_outside 250 set transform-set ts_aidan crypto map cm_outside 250 set security-association lifetime seconds 10800 crypto map cm_outside 250 set pfs group2 The address of the Cisco machine is BBB.BBB.64.253, and the address of my local machine is AAA.AAA.217.99 . The addresses to which I am trying to connect are BBB.BBB.64.29 and BBB.BBB.64.30 . I'm trying to follow what's suggested at http://www.wlug.org.nz/FreeSwanToCiscoPix , but that uses a slightly incompatible config file syntax. However, this is what I am using for ipsec.conf; ------------------- # /etc/ipsec.conf - FreeS/WAN IPsec configuration file version 2 config setup interfaces=%defaultroute klipsdebug=all plutodebug=all uniqueids=yes conn %default disablearrivalcheck=no keylife=8h auto = add conn pix # The local Linux box left=AAA.AAA.217.99 leftsubnet=AAA.AAA.217.96/28 leftnexthop=%defaultroute # The remote Cisco box right=BBB.BBB.64.253 # Changed to a single address for the initial connection attempt. rightsubnet=BBB.BBB.64.29/32 auto=start pfs=yes # Encapsulating Security Protocol. esp=3des-md5-96 # Pre shared keys authby=secret keyexchange=ike ------------------- A full output from 'ipsec barf' is available at http://www.parhasard.net/barf.out , if you're interested. (Warning; 1.7MB) I restart the machine, with IPSec enabled, and I get Aug 10 16:10:02 karla ipsec_setup: ...FreeS/WAN IPsec started Aug 10 16:10:03 karla ipsec__plutorun: 104 "pix" #1: STATE_MAIN_I1: initiate Aug 10 16:10:03 karla ipsec__plutorun: ...could not start conn "pix" in the syslog daemon output. However, when I start the pix connection by hand with 'ipsec auto --up pix' I get this; # ipsec auto --verbose --up pix 002 "pix" #41: initiating Main Mode 104 "pix" #41: STATE_MAIN_I1: initiate 106 "pix" #41: STATE_MAIN_I2: sent MI2, expecting MR2 002 "pix" #41: received Vendor ID Payload; ASCII hash: [EMAIL PROTECTED] 002 "pix" #41: received Vendor ID Payload; ASCII hash: oJWShaqIkFV|wWA@ 002 "pix" #41: received Vendor ID Payload; ASCII hash: RurLEqhipm_btLA@ 002 "pix" #41: received Vendor ID Payload; ASCII hash: pbAD~GWHUmu\134Xjof 108 "pix" #41: STATE_MAIN_I3: sent MI3, expecting MR3 002 "pix" #41: ISAKMP SA established 004 "pix" #41: STATE_MAIN_I4: ISAKMP SA established 002 "pix" #42: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP 112 "pix" #42: STATE_QUICK_I1: initiate 003 "pix" #42: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 002 "pix" #42: sent QI2, IPsec SA established 004 "pix" #42: STATE_QUICK_I2: sent QI2, IPsec SA established # so it seems to me that the connection is up, and "netstat -nr" shows that a seperate route has been established for connecting to the .29 machine, which is encouraging. I try to telnet to BBB.BBB.64.29 on a port I know should be open, but it just hangs trying to connect. (ICMP is dropped anyway, so I can't use that.) Netcat has the same behaviour, and nmap tells me that the port is filtered. So, this is a bit annoying. Nmap says AH and ESP protocol packets are getting through to the Cisco; [ 5:09PM [EMAIL PROTECTED] [/var/log]] nmap -P0 -sO -p50 BBB.BBB.64.253 Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-08-10 17:09 IST Interesting protocols on BBB.BBB.64.253: Protocol State Name 50 open esp Nmap run completed -- 1 IP address (1 host up) scanned in 12.164 seconds [ 5:09PM [EMAIL PROTECTED] [/var/log]] nmap -P0 -sO -p51 BBB.BBB.64.253 Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-08-10 17:09 IST Interesting protocols on BBB.BBB.64.253: Protocol State Name 51 open ah Nmap run completed -- 1 IP address (1 host up) scanned in 12.075 seconds But it says exactly the same thing for ICMP, and I *know* it's dropping that, so that is not that useful. Any suggestions as to what I'm doing wrong? I'm told another FreeSwan box is connecting to that Cisco fine, but there's every chance that's another version with another incompatible config file syntax. (Downgrading my kernel and FreeSwan version isn't an option, short-term, because of various hardware incompatibilities.) Thanks for any response, - Aidan -- "These are the prettiest looking witnesses we have had in a long time. I imagine you are all married. If not, you could be if you wanted to be." _______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
