1. Store
  2. Apps
  3. Hardware
  4. Support
  5. Solutions

ClearFoundation

Forums
Welcome, Guest
IPSec site to site VPN to ASA - Unable to connect
(1 viewing) 1 Guest
Go to bottomPage: 1
TOPIC: IPSec site to site VPN to ASA - Unable to connect
#30420
IPSec site to site VPN to ASA - Unable to connect 3 Years, 4 Months ago  
Can't seem to figure out what I am doing wrong.

ipsec.conf
Code:


config setup
        protostack=netkey
        klipsdebug=none
        plutodebug=all
        interfaces=%defaultroute
        oe=no

conn %default
        authby=secret
        auto=start
        aggrmode=no
        compress=no
        rightupdown=/usr/libexec/ipsec/_updown.app
        leftupdown=/usr/libexec/ipsec/_updown.app
        left=xxx
        leftsubnet=xxx/24

conn realtime
        type=tunnel
        keyexchange=ike
        pfs=no
        right=xxx
        rightsubnet=xxx/24



ipsec.secrets
Code:


xxx xxx : PSK "*****"



ASA is the same I always do ESP-3DES-SHA

ipsec auto --status
Code:


...
000 #3: xxx:500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 40s; nodpd; idle; import:admin initiate
000 #3: pending Phase 2 for "xxx" replacing #0



Which I believe means it's not getting a response from the ASA?
Steven Barnes
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2011/07/26 13:06 By MrRat.
The administrator has disabled public write access.
 
#30426
Re: IPSec site to site VPN to ASA - Unable to connect 3 Years, 4 Months ago  
If you can I'd set left=%defaultroute otherwise I think you have to specify leftnexthop.
I'd turn off plutodebug by setting it to none. The normal logs should be good enough.
If you get the tunnel up I'd set leftsourceip to your gateway LAN IP.
If the ASA is trying to call you, try changing auto to "add" so there is initially only one way negotiation.
Does the ASA not like PFS?
Have you opened the firewall to inbound UDP:500?

Can you do the first two changes at least then post a few more lines of /var/log/secure as the connection starts negotiation until it fails?
Nick Howitt
Platinum Boarder
Posts: 6072
graphgraph
User Online Now Click here to see the profile of this user
Last Edit: 2011/07/21 07:55 By NickH.
The administrator has disabled public write access.
 
#30461
Re:IPSec site to site VPN to ASA - Unable to connect 3 Years, 4 Months ago  
I really appreciate your help here. I've configured several VPN on the ASA but never messed with OpenSwan before.

Changed debug to none and added left=%defaultroute

Code:


000 #1: "xxx":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 0s; nodpd; idle; import:admin initiate
000 #1: pending Phase 2 for "xxx" replacing #0
000

Steven Barnes
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
Last Edit: 2011/07/26 13:07 By MrRat.
The administrator has disabled public write access.
 
#30468
Re:IPSec site to site VPN to ASA - Unable to connect 3 Years, 4 Months ago  
I'm afraid I'm going to have to stop here as I am about to go away for a week. Things to do/try:
- remove the left/rightupdown bits so you use the default up/down scripts
- try auto=add and see if the ASA tries to contact Openswan
- check you have opened up incoming standard service IPSec (UDP:500 + AH/ESP)
- I think you have multiwan so check everything is going out through the correct port
- have a look at the ASA logs to see if it is being contacted and from which IP

To me it looks like one end or the other is blocking the messages or not responding.

Then for good help try the openswan mailing lists. They may ask you to upgrade to a current version of Openswan. As you are running a manual configuration you can uninstall what you've got (2.6.21) and download, compile and install the new package directly. If you want everything to go in the ClearOS normal places there is a one line change to make to makefile.inc before compiling. Search this forum (possibly), but definitely it is in the old Clarkconnect forums. If you're not bothered, compile the package as it is. It works fine.
Nick Howitt
Platinum Boarder
Posts: 6072
graphgraph
User Online Now Click here to see the profile of this user
The administrator has disabled public write access.
 
#30599
Re:IPSec site to site VPN to ASA - Unable to connect 3 Years, 4 Months ago  
Setup a test box and forgot to add "interfaces=%defaultroute" and the test VPN worked.

Removed the line from the production box and it connected also.

Final configuration was simply
Code:


config setup
        protostack=netkey
        klipsdebug=none
        plutodebug=none

conn %default
        authby=secret
        auto=start
        rightupdown=/usr/libexec/ipsec/_updown.app
        leftupdown=/usr/libexec/ipsec/_updown.app

conn realtime1
        type=tunnel
        pfs=no
        left=<External IP>
        leftsubnet=<Internal Subnet>/24
        right=<Remote External IP>
        rightsubnet=<Remote Internal Subnet>24


from all I've seen that is not suppose to work, but it does
Steven Barnes
Fresh Boarder
Posts: 4
graphgraph
User Offline Click here to see the profile of this user
The administrator has disabled public write access.
 
Go to topPage: 1
  get the latest posts directly to your desktop