Community Forum

Resolved
0 votes
Can't seem to figure out what I am doing wrong.

ipsec.conf

config setup
protostack=netkey
klipsdebug=none
plutodebug=all
interfaces=%defaultroute
oe=no

conn %default
authby=secret
auto=start
aggrmode=no
compress=no
rightupdown=/usr/libexec/ipsec/_updown.app
leftupdown=/usr/libexec/ipsec/_updown.app
left=xxx
leftsubnet=xxx/24

conn realtime
type=tunnel
keyexchange=ike
pfs=no
right=xxx
rightsubnet=xxx/24


ipsec.secrets

xxx xxx : PSK "*****"


ASA is the same I always do ESP-3DES-SHA

ipsec auto --status

...
000 #3: xxx:500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 40s; nodpd; idle; import:admin initiate
000 #3: pending Phase 2 for "xxx" replacing #0


Which I believe means it's not getting a response from the ASA?
In VPN
Wednesday, July 20 2011, 07:51 PM
Share this post:
Responses (4)
  • Accepted Answer

    Tuesday, July 26 2011, 05:04 PM - #Permalink
    Resolved
    0 votes
    Setup a test box and forgot to add "interfaces=%defaultroute" and the test VPN worked.

    Removed the line from the production box and it connected also.

    Final configuration was simply

    config setup
    protostack=netkey
    klipsdebug=none
    plutodebug=none

    conn %default
    authby=secret
    auto=start
    rightupdown=/usr/libexec/ipsec/_updown.app
    leftupdown=/usr/libexec/ipsec/_updown.app

    conn realtime1
    type=tunnel
    pfs=no
    left=<External IP>
    leftsubnet=<Internal Subnet>/24
    right=<Remote External IP>
    rightsubnet=<Remote Internal Subnet>24

    from all I've seen that is not suppose to work, but it does
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 21 2011, 07:16 PM - #Permalink
    Resolved
    0 votes
    I'm afraid I'm going to have to stop here as I am about to go away for a week. Things to do/try:
    - remove the left/rightupdown bits so you use the default up/down scripts
    - try auto=add and see if the ASA tries to contact Openswan
    - check you have opened up incoming standard service IPSec (UDP:500 + AH/ESP)
    - I think you have multiwan so check everything is going out through the correct port
    - have a look at the ASA logs to see if it is being contacted and from which IP

    To me it looks like one end or the other is blocking the messages or not responding.

    Then for good help try the openswan mailing lists. They may ask you to upgrade to a current version of Openswan. As you are running a manual configuration you can uninstall what you've got (2.6.21) and download, compile and install the new package directly. If you want everything to go in the ClearOS normal places there is a one line change to make to makefile.inc before compiling. Search this forum (possibly), but definitely it is in the old Clarkconnect forums. If you're not bothered, compile the package as it is. It works fine.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, July 21 2011, 03:51 PM - #Permalink
    Resolved
    0 votes
    I really appreciate your help here. I've configured several VPN on the ASA but never messed with OpenSwan before.

    Changed debug to none and added left=%defaultroute


    000 #1: "xxx":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 0s; nodpd; idle; import:admin initiate
    000 #1: pending Phase 2 for "xxx" replacing #0
    000
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, July 20 2011, 09:20 PM - #Permalink
    Resolved
    0 votes
    If you can I'd set left=%defaultroute otherwise I think you have to specify leftnexthop.
    I'd turn off plutodebug by setting it to none. The normal logs should be good enough.
    If you get the tunnel up I'd set leftsourceip to your gateway LAN IP.
    If the ASA is trying to call you, try changing auto to "add" so there is initially only one way negotiation.
    Does the ASA not like PFS?
    Have you opened the firewall to inbound UDP:500?

    Can you do the first two changes at least then post a few more lines of /var/log/secure as the connection starts negotiation until it fails?
    The reply is currently minimized Show
Your Reply