Freeswan 2.01 to Cisco PIX with software version 6.1

Michael Cheedle, Telemedia Development Thu, 14 Aug 2003 12:02:08 -0700

I'm currently trying to change the tunnel transforms sets to ah+esp on my
freeswan box, connecting to a Cisco PIX.  I have no problems using just ESP,
but as soon as I add "auth=ah" the tunnel fails.  Both the configurations
can be found below:


Please advise.

Best regards,

Mike

*************
FREESWAN 2.01
*************

conn conn-bstest1
        left=66.66.201.29
        leftsubnet=192.168.10.80/31
        leftnexthop=66.66.201.1
        right=77.77.121.11
        rightsubnet=77.77.175.227/32
        authby=secret
        pfs=no
        esp=3des-md5-96
        ah=hmac-md5-96
        auto=start
        spi=0x600
conn conn-bstest2
        left=66.66.201.29
        leftsubnet=192.168.10.80/31
        leftnexthop=66.66.201.1
        right=77.77.121.11
        rightsubnet=10.99.4.4/32
        authby=secret
        pfs=no
        esp=3des-md5-96
        ah=hmac-md5-96
        auto=start
        spi=0x700

*********
Cisco PIX
*********

Crypto Map: "afuera" interfaces: { outside }
        client configuration address initiate
        client configuration address respond

Crypto Map "afuera" 10 ipsec-isakmp
        Peer = 66.66.201.29
        access-list acl_testline; 2 elements
access-list acl_testline line 1 remark Tunel de testline al frontend WAS.
        access-list acl_testline line 2 permit ip host 77.77.175.227
object-group testline
        access-list acl_testline line 2 permit ip host 77.77.175.227
192.168.10.0 255.255.255.0 (hitcnt=44)
access-list acl_testline line 3 remark Tunel de testline al NAP
        access-list acl_testline line 4 permit ip host 10.99.4.4
object-group testline
        access-list acl_testline line 4 permit ip host 10.99.4.4
192.168.10.0 255.255.255.0 (hitcnt=40)
        Current peer: 66.66.201.29
        Security association lifetime: 4608000 kilobytes/86400 seconds
        PFS (Y/N): N
        Transform sets={ normal, ESP-3DES-MD5, }

******
pix1# sh crypto  ipsec transform-set

Transform set normal: { ah-md5-hmac  }
   will negotiate = { Tunnel,  },
   { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

Transform set ESP-3DES-MD5: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

******
pix1# sh crypto isakmp
isakmp enable outside
isakmp key ******** address 66.66.201.29 netmask 255.255.255.255 no-xauth
no-config-mode
isakmp identity address
isakmp keepalive 120
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 1
isakmp policy 30 lifetime 86400
isakmp policy 40 authentication pre-share
isakmp policy 40 encryption 3des
isakmp policy 40 hash sha
isakmp policy 40 group 2
isakmp policy 40 lifetime 86400

******
******

_______________________________________________
FreeS/WAN Users mailing list
[EMAIL PROTECTED]
https://mj2.freeswan.org/cgi-bin/mj_wwwusr

[Users] change the tunnel transforms sets to ah+esp // Freeswan 2.01 to Cisco PIX with software version 6.1

Reply via email to