[c-nsp] IPsec from Linux to Cisco dynamic-map?

[Peter Olsson]

Hello!

I'm trying to configure an IPsec star network with a
couple of Linux boxes connecting to a central IOS router
using dynamic-map. The Linux boxes all get their public
IP addresses from DHCP, so the IOS router must use only
dynamic peering for this IPsec network.

The IOS router I'm testing with is an old 2621 running
c2600-ik9o3s3-mz.123-23.
The Linux boxes run Busybox v1.0.5, with IPSec-tools 0.7.

I have this configuration in the router:
crypto keyring spokes 
  pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
 encr aes
 hash md5
 authentication pre-share
 group 5  
 lifetime 28800
crypto isakmp profile L2L
   keyring spokes
   match identity address 0.0.0.0 
crypto ipsec transform-set myset esp-aes esp-md5-hmac 
crypto dynamic-map dynmap 10
 set transform-set myset 
 set pfs group5
 set isakmp-profile L2L
crypto map mymap 10 ipsec-isakmp dynamic dynmap 
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.0
interface FastEthernet0/1
 crypto map mymap

Phase 1 seems ok, but then I get this in the Cisco debug:
IPSEC(initialize_sas): invalid proxy IDs

I have tried changing several IPsec parameters (encr, hash,
group, transform-set, pfs, lifetime) both in Cisco and Linux
but I always end up with the "invalid proxy IDs" error, and
the information I find about this error is that it could be
a mismatch between peering acl:s. But since the router uses
dynamic peering I don't have a peering acl in the router.
I have tried both 10.1.1.0/24 and 10.1.1.1/24 as "Remote Network"
in the Linux.

In my google attempts I found some sample configurations
between Cisco and Linux, but unfortunately none using
dynamic-map.

Anyone knows what could be wrong, or how to better debug it?

Thanks!

-- 
Peter Olsson                    pol at leissner.se