I'm going to set a IPSec tunnel between a Cisco Router (17xx) and an ASL 3.201, but as usual something goes wrong ...
ASL 3.201 Configuration Ipsec Vpn -> Policy name: cisco ike sa lifetime 28800 ipsec enc. alg 3DES ipsec sa lifetime 86400 psf: off conpression: off Ipsec Vpn -> Remote Key name: Cisco-client type: PSK Preshared Key: SECRET Ipsec VPN -> Connection name: cisco-vpn type: standard ipsec policy 3DES local endpoint: WAN remote endpoint: cisco (/32) local subnet: ::none:: remote subnet: cisco-lan (10.55.40.0/24 private net on cisco lan interface) key[:P]SK:cisco-client
Cisco router crypto isakmp policy 1 encryption 3des hash md5 authentication pre-share group 2 lifetime 28800 ! crypto ipsec security-association lifetime seconds 86400 crypto isakmp key SECRET address crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac mode tunnel ! crypto map TEST 1 ipsec-isakmp set set transform-set 3DES-MD5 match address 101 ! ! interface Tunnel0 description 'Tunnel di test 2binformatica' ip unnumbered Ethernet0 tunnel source tunnel destination tunnel mode ipip ! interface Ethernet0 ip address ip nat outside half-duplex no shutdown ! interface FastEthernet0 ip address 10.55.40.1 255.255.255.0 ip nat inside speed auto no shutdown ! ip nat pool .... ip nat inside source list 5 pool pool-1 overload ip classless ip route 0.0.0.0 0.0.0.0 ip route 192.168.0.0 255.255.0.0 Tunnel0 #my lan beside the firewall no ip http server ! access-list 101 permit ip 0.0.0.0 255.255.255.255 host access-list 5 permit 10.55.0.0 0.0.255.255
...
Astaro IPSEC Log Jul 3 12:34:12 firewall ipsec_setup: Starting FreeS/WAN IPsec 1.96... Jul 3 12:34:12 firewall ipsec_setup: KLIPS debug `none' Jul 3 12:34:12 firewall ipsec_setup: KLIPS ipsec0 on eth1 80.18.204.198/255.255.255.248 broadcast 80.18.204.199 mtu 16260 Jul 3 12:34:12 firewall ipsec_setup: ...FreeS/WAN IPsec started Jul 3 12:34:13 firewall Pluto[8621]: Starting Pluto (FreeS/WAN Version 1.96) Jul 3 12:34:13 firewall Pluto[8621]: including X.509 patch (Version 0.9.9) Jul 3 12:34:13 firewall Pluto[8621]: Changing to directory '/etc/ipsec.d/cacerts' Jul 3 12:34:13 firewall Pluto[8621]: Warning: empty directory Jul 3 12:34:13 firewall Pluto[8621]: Changing to directory '/etc/ipsec.d/crls' Jul 3 12:34:13 firewall Pluto[8621]: Warning: empty directory Jul 3 12:34:13 firewall Pluto[8621]: could not open my X.509 cert file '/etc/x509cert.der' Jul 3 12:34:13 firewall Pluto[8621]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Jul 3 12:34:15 firewall Pluto[8621]: | from whack: got --esp=3des Jul 3 12:34:15 firewall Pluto[8621]: added connection description "cisco-vpn_1" Jul 3 12:34:15 firewall Pluto[8621]: listening for IKE messages Jul 3 12:34:15 firewall Pluto[8621]: adding interface ipsec0/eth1 80.18.204.198 Jul 3 12:34:15 firewall Pluto[8621]: loading secrets from "/etc/ipsec.secrets" Jul 3 12:34:15 firewall Pluto[8621]: "cisco-vpn_1" #1: initiating Main Mode Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #1: ignoring Vendor ID payload Jul 3 12:34:16 firewall ipsec__plutorun: 104 "cisco-vpn_1" #1: STATE_MAIN_I1: initiate Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #1: Peer ID is ID_IPV4_ADDR: '80.18.204.196' Jul 3 12:34:16 firewall ipsec__plutorun: ...could not start conn "cisco-vpn_1" Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #1: ISAKMP SA established Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK Jul 3 12:34:16 firewall Pluto[8621]: "cisco-vpn_1" #2: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME Jul 3 12:34:17 firewall Pluto[8621]: "cisco-vpn_1" #2: sent QI2, IPsec SA established Jul 3 12:36:23 firewall Pluto[8621]: "cisco-vpn_1" #1: ignoring Delete SA payload Jul 3 12:36:23 firewall Pluto[8621]: "cisco-vpn_1" #1: received and ignored informational message Jul 3 12:42:29 firewall Pluto[8621]: "cisco-vpn_1" #3: cannot respond to IPsec SA request because no connection is known for 80.18.204.198...80.18.204.196===0.0.0.0/0 Jul 3 12:42:39 firewall Pluto[8621]: "cisco-vpn_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb571a182 (perhaps this is a duplicated packet) Jul 3 12:42:49 firewall Pluto[8621]: "cisco-vpn_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb571a182 (perhaps this is a duplicated packet) Jul 3 12:42:59 firewall Pluto[8621]: "cisco-vpn_1" #4: cannot respond to IPsec SA request because no connection is known for 80.18.204.198...80.18.204.196===0.0.0.0/0 Jul 3 12:42:59 firewall Pluto[8621]: "cisco-vpn_1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0xb571a182 (perhaps this is a duplicated packet) Jul 3 12:43:09 firewall Pluto[8621]: "cisco-vpn_1" #1: ignoring Delete SA payload Jul 3 12:43:09 firewall Pluto[8621]: "cisco-vpn_1" #1: received and ignored informational message Jul 3 12:50:39 firewall Pluto[8621]: "cisco-vpn_1" #5: responding to Main Mode Jul 3 12:50:39 firewall Pluto[8621]: "cisco-vpn_1" #5: ignoring Vendor ID payload Jul 3 12:50:40 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:50:40 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:50:49 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:50:49 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:50:59 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:50:59 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:51:09 firewall Pluto[8621]: "cisco-vpn_1" #5: next payload type of ISAKMP Hash Payload has an unknown value: 128 Jul 3 12:51:09 firewall Pluto[8621]: "cisco-vpn_1" #5: malformed payload in packet Jul 3 12:51:49 firewall Pluto[8621]: "cisco-vpn_1" #5: max number of retransmissions (2) reached STATE_MAIN_R2
... all seems going right, but when I start some traffic (ping) I recive : cannot respond to IPsec SA request because no connection is known for 80.18.204.198...80.18.204.196===0.0.0.0/0
... if some one could help !!
P.S. I think that an Astaro official and Tested document expalining cisco -> ASL sample connection could be usefull
Remove the Tunnelinterface , for the rest refer to the Astaro Sample Config to Cisco Router which works great. Dont forget to bind the Crypto map on the extrnal Interface.
