[linux] OpenSwan IPSEC pripojenie na Cisco concentrator

Juraj Variny rini17 na gmail.com
Pátek Únor 27 16:25:19 CET 2009


Takuto tabulku s parametrami som dostal:

ISAKMP:
D-H group: 2
encryption: 3DES
hash SHA1
lifetime: 64800

IPSEC:
proto: ESP
ecryption: 3DES
lifetime: 3600
hash: SHA-1
pfs: DH Group 2
compression: no

Moj ipsec.conf:

version	2.0	# conforms to second version of ipsec.conf specification
# basic configuration
config setup
	interfaces=%defaultroute
	klipsdebug=all
	plutodebug=all
	nat_traversal=yes
	uniqueids=yes
        # so zapnutym port floating to zlyha ovela skor
	plutoopts=--disable_port_floating
# connection
conn openswan-cisco
	# Left security gateway, subnet behind it, next hop toward right.
        # moja adresa smerom do internetu
	left=10.0.0.112
	leftid=<<nasa verejna IP>>
        #LAN
	leftsubnet=172.17.4.0/24
	# Right security gateway, subnet behind it, next hop toward left.
	right=<<remote verejna IP>>
	rightsubnet=10.x.y.0/24
        #ike,esp som skusal nastavit ale nema to vplyv
        #ike=3des-sha1-modp1024
	#esp= 3des-sha1
	keyexchange= ike
	pfs= yes
	auto=start
	authby=secret
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Juraj

Dňa 26. február 2009 13:46, Michal Kadlic <michal at spinet.sk> napísal/a:
> Juraj Variny wrote:
>> IKE faza - autentifikacia - zbehne v poriadku, ale Cisco stale
>> odpoveda NO_PROPOSAL_CHOSEN pri pokuse vytvorit ESP tunel.
>
> No proposal chosen sa mi zda byt skor problem s nastavenym sifrovanim v
> 2. faze. Tu mas nastavenu dobre ?
>
> Pripadne hod konfiguracny subor.
> Mike
>
> _______________________________________________
> https://lists.linux.sk/mailman/listinfo/linux
> Meta FAQ: http://www.sklug.sk/lists/linux/metafaq.html
>


Další informace o konferenci linux