Seni
asked on
Openwan
Hi Guys,
I want to establish a p2p ipsec vpn between a cisco asa and linux server running on Centos 5.x.
From the Linux server side, the server will be both the peer and internal source however, the Cisco ASA needs to different IPs.
1. Peer IP
2. Internal hosts for encryption.
To overcome this limitation, I have created a logical interface on the Linux server to act as my encrypted host.
So far, I have managed to get IPsec phase 1 up. I'm struggling to get Phase2. I have attached my configuration from both ends.
Kindly assist in review and let me know where I'm going wrong. cisco-asa-openswan.txt cisco-asa-openswan.txt
I want to establish a p2p ipsec vpn between a cisco asa and linux server running on Centos 5.x.
From the Linux server side, the server will be both the peer and internal source however, the Cisco ASA needs to different IPs.
1. Peer IP
2. Internal hosts for encryption.
To overcome this limitation, I have created a logical interface on the Linux server to act as my encrypted host.
So far, I have managed to get IPsec phase 1 up. I'm struggling to get Phase2. I have attached my configuration from both ends.
Kindly assist in review and let me know where I'm going wrong. cisco-asa-openswan.txt cisco-asa-openswan.txt
ASKER
hi,
I tried that but still facing the same problem. phase 2 is not coming up.
Does someone have a working configuration that I could edit?
I tried that but still facing the same problem. phase 2 is not coming up.
Does someone have a working configuration that I could edit?
Any chance of showing some logging information?
grep pluto /var/log/security
please review that it doesn't show any secrets. Ip address can be obfusciated if needed but should be kept distinctive.
should show something.
The same for Cisco, show log (filterred to relevant lines).
grep pluto /var/log/security
please review that it doesn't show any secrets. Ip address can be obfusciated if needed but should be kept distinctive.
should show something.
The same for Cisco, show log (filterred to relevant lines).
ASKER
Hi guys,
Openswan was consuming too much time to troubleshoot and deploy. I decided to drop it and move to another solution due to time limitation.
Will take on Openswan another time when I have no time restriction.
Openswan was consuming too much time to troubleshoot and deploy. I decided to drop it and move to another solution due to time limitation.
Will take on Openswan another time when I have no time restriction.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Solution did not work.
rightnexthop should be the address of the gateway on your ASA en route to YOU (not relevant in this case).
leftsubnet is the spec that is communicated for phase 2. so:
leftsubnet=192.168.10.5/32
leftsourceip is the source for packets that should go through the tunnel... so you need to keep that