You just need your "left" parameter to be "%defaultroute" and remove the leftnexthop parameter.
Hope that helps. Daniel
Aidan Kehoe wrote:
Hello!
[I'm replacing the first two octets for local IP addresses with AAA.AAA throughout, here. I'm also replacing the first two octets for remote addresses with BBB.BBB.]
I'm working from a Linux 2.4.21-rc1-ac4 machine, running Linux FreeS/WAN
2.00. I'm trying to set up an IPSec connection via a Cisco PIX machine,
which is using the following relevant configuration;
isakmp policy 50 authentication pre-share isakmp policy 50 encryption 3des isakmp policy 50 hash md5 isakmp policy 50 group 1 isakmp policy 50 lifetime 86400 access-list acl_aidan permit ip host BBB.BBB.64.29 host AAA.AAA.217.99 access-list acl_aidan permit ip host BBB.BBB.64.29 host AAA.AAA.217.101 access-list acl_aidan permit ip host BBB.BBB.64.30 host AAA.AAA.217.99 access-list acl_aidan permit ip host BBB.BBB.64.30 host AAA.AAA.217.101 crypto map cm_outside 250 ipsec-isakmp crypto map cm_outside 250 match address acl_aidan crypto map cm_outside 250 set peer AAA.AAA.217.99 crypto map cm_outside 250 set transform-set ts_aidan crypto map cm_outside 250 set security-association lifetime seconds 10800 crypto map cm_outside 250 set pfs group2
The address of the Cisco machine is BBB.BBB.64.253, and the address of my local machine is AAA.AAA.217.99 . The addresses to which I am trying to connect are BBB.BBB.64.29 and BBB.BBB.64.30 .
I'm trying to follow what's suggested at
http://www.wlug.org.nz/FreeSwanToCiscoPix , but that uses a slightly
incompatible config file syntax. However, this is what I am using for
ipsec.conf; -------------------
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
version 2
config setup interfaces=%defaultroute klipsdebug=all plutodebug=all uniqueids=yes
conn %default disablearrivalcheck=no
keylife=8h
auto = add
conn pix # The local Linux box
left=AAA.AAA.217.99
leftsubnet=AAA.AAA.217.96/28
leftnexthop=%defaultroute
# The remote Cisco box
right=BBB.BBB.64.253
# Changed to a single address for the initial connection attempt.
rightsubnet=BBB.BBB.64.29/32
auto=start
pfs=yes
# Encapsulating Security Protocol. esp=3des-md5-96
# Pre shared keys
authby=secret
keyexchange=ike
-------------------
A full output from 'ipsec barf' is available at http://www.parhasard.net/barf.out , if you're interested. (Warning; 1.7MB)
I restart the machine, with IPSec enabled, and I get
Aug 10 16:10:02 karla ipsec_setup: ...FreeS/WAN IPsec started Aug 10 16:10:03 karla ipsec__plutorun: 104 "pix" #1: STATE_MAIN_I1: initiate Aug 10 16:10:03 karla ipsec__plutorun: ...could not start conn "pix"
in the syslog daemon output. However, when I start the pix connection by
hand with 'ipsec auto --up pix' I get this;
# ipsec auto --verbose --up pix 002 "pix" #41: initiating Main Mode
104 "pix" #41: STATE_MAIN_I1: initiate
106 "pix" #41: STATE_MAIN_I2: sent MI2, expecting MR2
002 "pix" #41: received Vendor ID Payload; ASCII hash: [EMAIL PROTECTED]
002 "pix" #41: received Vendor ID Payload; ASCII hash: oJWShaqIkFV|wWA@
002 "pix" #41: received Vendor ID Payload; ASCII hash: RurLEqhipm_btLA@
002 "pix" #41: received Vendor ID Payload; ASCII hash: pbAD~GWHUmu\134Xjof
108 "pix" #41: STATE_MAIN_I3: sent MI3, expecting MR3
002 "pix" #41: ISAKMP SA established
004 "pix" #41: STATE_MAIN_I4: ISAKMP SA established
002 "pix" #42: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP
112 "pix" #42: STATE_QUICK_I1: initiate
003 "pix" #42: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
002 "pix" #42: sent QI2, IPsec SA established
004 "pix" #42: STATE_QUICK_I2: sent QI2, IPsec SA established
#
so it seems to me that the connection is up, and "netstat -nr" shows that a
seperate route has been established for connecting to the .29 machine, which
is encouraging.
I try to telnet to BBB.BBB.64.29 on a port I know should be open, but it just hangs trying to connect. (ICMP is dropped anyway, so I can't use that.) Netcat has the same behaviour, and nmap tells me that the port is filtered. So, this is a bit annoying.
Nmap says AH and ESP protocol packets are getting through to the Cisco;
[ 5:09PM [EMAIL PROTECTED] [/var/log]] nmap -P0 -sO -p50 BBB.BBB.64.253
Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-08-10 17:09 IST
Interesting protocols on BBB.BBB.64.253:
Protocol State Name
50 open esp
Nmap run completed -- 1 IP address (1 host up) scanned in 12.164 seconds [ 5:09PM [EMAIL PROTECTED] [/var/log]] nmap -P0 -sO -p51 BBB.BBB.64.253
Starting nmap 3.20 ( www.insecure.org/nmap/ ) at 2003-08-10 17:09 IST
Interesting protocols on BBB.BBB.64.253:
Protocol State Name
51 open ah Nmap run completed -- 1 IP address (1 host up) scanned in 12.075 seconds
But it says exactly the same thing for ICMP, and I *know* it's dropping
that, so that is not that useful.
Any suggestions as to what I'm doing wrong? I'm told another FreeSwan box is connecting to that Cisco fine, but there's every chance that's another version with another incompatible config file syntax. (Downgrading my kernel and FreeSwan version isn't an option, short-term, because of various hardware incompatibilities.)
Thanks for any response,
- Aidan
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Daniel Djamaludin - Software Engineer EMAIL: [EMAIL PROTECTED] SnapGear Inc. PHONE: +61 7 34352888 825 Stanley St Woolloongabba FAX: +61 7 38913630 Brisbane, QLD, 4102, Australia WEB: http://www.SnapGear.com SnapGear - Custom Embedded Solutions and Security Appliances ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________ FreeS/WAN Users mailing list [EMAIL PROTECTED] https://mj2.freeswan.org/cgi-bin/mj_wwwusr
