# Configuring a VPN using OpenSwan

## zBrain

I am in need of help as to why this won't work. I am attempting to connect to a Cisco ASA device that is known to be working (others can use it)

The addresses involved will be changed to:

My machine: 1.1.1.1

My internet gateway: 1.1.1.2

Remote Cisco device: 2.2.2.2

Remote machine I should be able to reach: 3.3.3.3 (listening on 8888)

My ipsec.conf:

```
config setup

        # Debug-logging controls: "none" for (almost) none, "all" for lots.

        # klipsdebug=none

        # plutodebug="control parsing"

        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

        #protostack=netkey

        #nat_traversal=yes

        #virtual_private=

        #oe=off

        # Enable this if you see "failed to find any available worker"

        #nhelpers=0

conn cisco # Here is the Name of the VPN connection.

        type= tunnel

        authby= secret

        # Left security Linux, (Linux side)

        left= 1.1.1.1

        leftsubnet= 1.1.1.1/32 #Net address assigned to the other side

        leftnexthop= 1.1.1.1.2 #Real IP Gateway

        # Right security gateway, (ASA SIDE)

        right= 2.2.2.2 # ASA IP

        rightsubnet= 3.3.3.0/24 # Net address assigned to the other side

        rightnexthop= 1.1.1.2 #Real IP Gateway

        # Type of cryptogrphy used on the VPN Tunnel

        esp= 3des-md5-96

        keyexchange= ike

        pfs= no

        auto= start
```

My secrets file:

```
1.1.1.1 2.2.2.2: PSK "magic Key"
```

Then I run:

```
/etc/init.d/ipsec start
```

My first question: should I be getting a new net device when I connect? All I get is a new route:

```
3.3.3.0     1.1.1.2. 255.255.255.0   UG    0      0        0 eth0
```

When I run the init script I get this in auth.log:

```

/etc/init.d/ipsec start

 * Starting IPSEC ... ...

ipsec_setup: Starting Openswan IPsec 2.4.15...

Nov 29 08:06:36 testslave ipsec__plutorun: Starting Pluto subsystem...

Nov 29 08:06:36 testslave ipsec__plutorun: Unknown default RSA hostkey scheme, not generating a default hostkey

Nov 29 08:06:36 testslave pluto[29151]: Starting Pluto (Openswan Version 2.4.15 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE}xT`Pu{prE)

Nov 29 08:06:36 testslave pluto[29151]: Setting NAT-Traversal port-4500 floating to off

Nov 29 08:06:36 testslave pluto[29151]:    port floating activation criteria nat_t=0/port_fload=1

Nov 29 08:06:36 testslave pluto[29151]:   including NAT-Traversal patch (Version 0.6c) [disabled]

Nov 29 08:06:36 testslave pluto[29151]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)

Nov 29 08:06:36 testslave pluto[29151]: starting up 3 cryptographic helpers

Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29153 (fd:6)

Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29154 (fd:7)

Nov 29 08:06:36 testslave pluto[29151]: started helper pid=29155 (fd:8)

Nov 29 08:06:36 testslave pluto[29151]: Using NETKEY IPsec interface code on 2.6.31.6

Nov 29 08:06:36 testslave pluto[29151]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'

Nov 29 08:06:36 testslave pluto[29151]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'

Nov 29 08:06:36 testslave pluto[29151]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'

Nov 29 08:06:36 testslave pluto[29151]: Changing to directory '/etc/ipsec/ipsec.d/crls'

Nov 29 08:06:36 testslave pluto[29151]:   Warning: empty directory

Nov 29 08:06:36 testslave pluto[29151]: loading secrets from "/etc/ipsec/ipsec.secrets"

Nov 29 08:06:36 testslave pluto[29151]: added connection description "cisco"                                                                     [ ok ]

Nov 29 08:06:36 testslave pluto[29151]: listening for IKE messages

Nov 29 08:06:36 testslave pluto[29151]: adding interface eth0/eth0 1.1.1.1:500

Nov 29 08:06:36 testslave pluto[29151]: adding interface lo/lo 127.0.0.1:500

Nov 29 08:06:36 testslave pluto[29151]: adding interface lo/lo ::1:500

Nov 29 08:06:36 testslave pluto[29151]: forgetting secrets

Nov 29 08:06:36 testslave pluto[29151]: loading secrets from "/etc/ipsec/ipsec.secrets"

Nov 29 08:06:36 testslave pluto[29151]: "cisco" #1: initiating Main Mode

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I2: sent MI2, expecting MR2

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload [Cisco-Unity]

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload [XAUTH]

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring unknown Vendor ID payload [d3e6aae7997ac360bc9045ccb5c211db]

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: I did not send a certificate because I do not have one.

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Vendor ID payload [Dead Peer Detection]

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: Main mode peer ID is ID_IPV4_ADDR: '2.2.2.2'

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received and ignored informational message

Nov 29 08:06:37 testslave pluto[29151]: "cisco" #1: received Delete SA payload: deleting ISAKMP State #1

Nov 29 08:06:37 testslave pluto[29151]: packet from 2.2.2.2:500: received and ignored informational message

```

Then I attempt to telnet:

```

# telnet 3.3.3.3 8888

Trying 3.3.3.3...

```

And the log:

```

Nov 29 08:06:44 testslave pluto[29151]: initiate on demand from 1.1.1.1:0 to 3.3.3.3:0 proto=0 state: fos_start because: acquire

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: initiating Main Mode

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I2: sent MI2, expecting MR2

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload [Cisco-Unity]

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload [XAUTH]

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring unknown Vendor ID payload [c5d84faa8d5901d3cc816c033fb9efb1]

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: I did not send a certificate because I do not have one.

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I3: sent MI3, expecting MR3

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Vendor ID payload [Dead Peer Detection]

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: Main mode peer ID is ID_IPV4_ADDR: '2.2.2.2'

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#3}

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: ignoring informational payload, type NO_PROPOSAL_CHOSEN

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received and ignored informational message

Nov 29 08:06:44 testslave pluto[29151]: "cisco" #3: received Delete SA payload: deleting ISAKMP State #3

Nov 29 08:06:44 testslave pluto[29151]: packet from 2.2.2.2:500: received and ignored informational message

```

So, clearly it is connected (the other side sees my connection too) but I can not get any traffic through (the other side sees no traffic at all)

Can anyone point me in the right direction?

----------

