I'm going to set a IPSec tunnel between a Cisco Router (17xx) and an ASL 3.201, but as usual something goes wrong ...
ASL 3.201 Configuration Ipsec Vpn -> Policy name: cisco ike sa lifetime 28800 ipsec enc. alg 3DES ipsec sa lifetime 86400 psf: off conpression: off Ipsec Vpn -> Remote Key name: Cisco-client type: PSK Preshared Key: SECRET Ipsec VPN -> Connection name: cisco-vpn type: standard ipsec policy 3DES local endpoint: WAN remote endpoint: cisco (/32) local subnet: ::none:: remote subnet: cisco-lan (10.55.40.0/24 private net on cisco lan interface) key[:P]SK:cisco-client
Cisco router crypto isakmp policy 1 encryption 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto ipsec security-association lifetime seconds 86400 crypto isakmp key SECRET address crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac mode tunnel ! crypto map TEST 1 ipsec-isakmp set set transform-set 3DES-MD5 match address 101 ! ! interface Tunnel0 description 'Tunnel di test 2binformatica' ip unnumbered Ethernet0 tunnel source tunnel destination tunnel mode ipip ! interface Ethernet0 ip address ip nat outside half-duplex no shutdown ! interface FastEthernet0 ip address 10.55.40.1 255.255.255.0 ip nat inside speed auto no shutdown ! ip nat pool .... ip nat inside source list 5 pool pool-1 overload ip classless ip route 0.0.0.0 0.0.0.0 ip route 192.168.0.0 255.255.0.0 Tunnel0 #my lan beside the firewall no ip http server ! access-list 101 permit ip 0.0.0.0 255.255.255.255 host access-list 5 permit 10.55.0.0 0.0.255.255
...
Astaro IPSEC Log Jul 3 12:34:12 firewall ipsec_setup: Starting FreeS/WAN IPsec 1.96... Jul 3 12:34:12 firewall ipsec_setup: KLIPS debug `none' Jul 3 12:34:12 firewall ipsec_setup: KLIPS ipsec0 on eth1 80.18.204.198/255.255.255.248 broadcast 80.18.204.199 mtu 16260 Jul 3 12:34:12 firewall ipsec_setup: ...FreeS/WAN IPsec started Jul 3 12:34:13 firewall Pluto[8621]: Starting Pluto (FreeS/WAN Version 1.96) Jul 3 12:34:13 firewall Pluto[8621]: including X.509 patch (Version 0.9.9) Jul 3 12:34:13 firewall Pluto[8621]: Changing to directory '/etc/ipsec.d/cacerts' Jul 3 12:34:13 firewall Pluto[8621]: Warning: empty directory Jul 3 12:34:13 firewall Pluto[8621]: Changing to directory '/etc/ipsec.d/crls' Jul 3 12:34:13 firewall Pluto[8621]: Warning: empty directory Jul 3 12:34:13 firewall Pluto[8621]: could not open my X.509 cert file '/etc/x509cert.der' Jul 3 12:34:13 firewall Pluto[8621]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Jul 3 12:34:15 firewall Pluto[8621]: | from whack: got --esp=3des Jul 3 12:34:15 firewall Pluto[8621]: added connection description "cisco-vpn_1" Jul 3 12:34:15 firewall Pluto[8621]: listening for IKE messages Jul 3 12:34:15 firewall Pluto[8621]: adding interface ipsec0/eth1 80.18.204.198 Jul 3 12:34:15 firewall Pluto[8621]: loading secrets from "/etc/ipsec.secrets" Jul 3 12:34:15 firewall Pluto[8621]: "cisco-vpn_1" #1: initiating Main Mode Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #1: ignoring Vendor ID payload Jul 3 12:34:16 firewall ipsec__plutorun: 104 "cisco-vpn_1" #1: STATE_MAIN_I1: initiate Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #1: Peer ID is ID_IPV4_ADDR: '80.18.204.196' Jul 3 12:34:16 firewall ipsec__plutorun: ...could not start conn "cisco-vpn_1" Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #1: ISAKMP SA established Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME Jul 3 12:34:17 firewall Pluto[8621]: "cisco-vpn_1" #2: sent QI2, IPsec SA established Jul 3 12:36:23 firewall Pluto[8621]: "cisco-vpn_1" #1: ignoring Delete SA payload Jul 3 12:36:23 firewall Pluto[8621]: "cisco-vpn_1" #1: received and ignored informational message Jul 3 12:42:29 firewall Pluto[8621]: "cisco-vpn_1" #3: cannot respond to IPsec SA request because no connection is known for 80.18.204.198...80.18.204.196===0.0.0.0/0 Jul 3 12:42:39 firewall Pluto[8621]: "cisco-vpn_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb571a182 (perhaps this is a duplicated packet) Jul 3 12:42:49 firewall Pluto[8621]: "cisco-vpn_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb571a182 (perhaps this is a duplicated packet) Jul 3 12:42:59 firewall Pluto[8621]: "cisco-vpn_1" #4: cannot respond to IPsec SA request because no connection is known for 80.18.204.198...80.18.204.196===0.0.0.0/0 Jul 3 12:42:59 firewall Pluto[8621]: "cisco-vpn_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb571a182 (perhaps this is a duplicated packet) Jul 3 12:43:09 firewall Pluto[8621]: "cisco-vpn_1" #1: ignoring Delete SA payload Jul 3 12:43:09 firewall Pluto[8621]: "cisco-vpn_1" #1: received and ignored informational message Jul 3 12:50:39 firewall Pluto[8621]: "cisco-vpn_1" #5: responding to Main Mode Jul 3 12:50:39 firewall Pluto[8621]: "cisco-vpn_1" #5: ignoring Vendor ID payload Jul 3 12:50:40 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:50:40 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:50:49 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:50:49 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:50:59 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:50:59 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:51:09 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:51:09 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:51:49 firewall Pluto[8621]: "cisco-vpn_1" #5: max number of retransmissions (2) reached STATE_MAIN_R2
... all seems going right, but when I start some traffic (ping) I recive : cannot respond to IPsec SA request because no connection is known for 80.18.204.198...80.18.204.196===0.0.0.0/0
... if some one could help !!
P.S. I think that an Astaro official and Tested document expalining cisco -> ASL sample connection could be usefull
Remove the Tunnelinterface , for the rest refer to the Astaro Sample Config to Cisco Router which works great. Dont forget to bind the Crypto map on the extrnal Interface.
I'm having trouble setting up a VPN between a Cisco (IOS 12.2.27b, Enterprise, IPSEC, 3DES) and an Astaro V5 firewall. The ISAKMP SA will not be established also I'm sure that the parameters are configured correctly.
I'd like to doublecheck thid with the PDF you've mentioned. However the docs page has moved and the knowledgebase returns an empty HTML document.
Is there another working pointer to the PDF or does someone have a local copy of it?
i can send you what worked 3,5 years or more ago here in my test....dunno anymore.
(Config+Screens)
Its IOS 12.2 and ASL 2.012 based...hehe, but should still work.
Maybe lifetimes etc or pfs must be modified nowadays.
Aswell there are much Openswan to Cisco IOS samples available on the net.
