<div>Hi,</div>
<div> </div>
<div>By using the cisco command "debug crypto isakmp" you should be able to troubleshoot this issue which should be caused by a misconfiguration. Make sur your transform set is correct and whether you're using group 1 or group 2.</div>
<div> </div>
<div>Cheers,</div>
<div> </div>
<div>Steve Rigano <br><br></div>
<div class="gmail_quote">2010/5/12 François Van Ingelgom <span dir="ltr"><<a href="mailto:francois.vaningelgom@pcsol.be">francois.vaningelgom@pcsol.be</a>></span><br>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi andreas!<br><br>I've recreated my setup and, this time, i'm not even able to establish the tunnel.<br>
<br>On the cisco it fails with error: "Notify has no hash. Rejected."<br><br>I've attached the debug output of every device.<br><br>I really have no idea how to sort it up and google is not a so good friend today :)<br>
<div class="im"><br>Thanks a lot!<br><br>François Van Ingelgom -- PCSOL<br><br></div>PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec<br>Debug-Strongswan = cat /var/log/messages with klips and puto debug to all<br>
<br><br> <br><br><br><br>Le 11 mai 2010 à 17:34, Andreas Steffen a écrit :<br><br>> left = local and right = remote<br>><br>> is just our recommendation in order to help your orientation.<br>> strongSwan works equally well with left and right swapped.<br>
> I was just wondering that remote end used private network<br>> addresses which are not routable.<br>><br>> Best regards<br>><br>> Andreas<br>><br>> On 05/11/2010 05:20 PM, François Van Ingelgom wrote:<br>
>> In fact, no, the strongswan side is: left=81.246.56.89<br>>><br>>> The Cisco IOS: right=192.168.1.218.<br>>><br>>> I'll try to recreate the configuration tomorrow with the two ends in<br>
>> our <a href="http://81.246.56.64/27" target="_blank">81.246.56.64/27</a> subnet.<br>>><br>>> From what i understood in ipsec.conf documentation left is the actual<br>>> local machine and right is the remote one, is that correct?<br>
>><br>>> Thanks for your help, i'll post what you asked tomorrow.<br>>><br>>> François Van Ingelgom -- PCSOL<br>>><br>>><br>>><br>>><br>>> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :<br>
>><br>>>> Hello François,<br>>>><br>>>> I don't see anything special in your configuration file except that<br>>>> it looks like an Openswan configuration.<br>>>><br>
>>> I assume that the strongSwan side is<br>>>><br>>>> right=192.168.1.218<br>>>><br>>>> which makes use of a port forwarding setup (NAT traversal seems not<br>>>> to be enabled) on the router<br>
>>><br>>>> rightnexthop=192.168.1.1<br>>>><br>>>> in order to be reachable from the Internet and that<br>>>><br>>>> left=81.246.56.89<br>>>><br>>>> is the Cisco IOS box. In order to give you some help I would need<br>
>>> the output of<br>>>><br>>>> ipsec statusall<br>>>><br>>>> and<br>>>><br>>>> ip -s xfrm state<br>>>><br>>>> ip -s xfrm policy<br>>>><br>
>>> after the successful connection setup and after a failed ping.<br>>>><br>>>> Best regards<br>>>><br>>>> Andreas<br>>>><br>>>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:<br>
>>>> Hi everyone!<br>>>>><br>>>>> I'm trying to setup Strongswan (debian package) with a Cisco<br>>>>> router (IOS 12.4).<br>>>>><br>>>>> Both servers are on the same subnet (our public subnet) for<br>
>>>> testing purposes.<br>>>>><br>>>>> Here is my ipsec.conf for strongswan:<br>>>>><br>>>>> version 2.0 # conforms to second version of ipsec.conf<br>>>>> specification<br>
>>>><br>>>>> config setup interfaces="ipsec0=eth0" conn %default<br>>>>> ikelifetime=86400 keylife=3600 keyingtries=%forever<br>>>>> authby=secret auth=esp ike=aes128-sha1-modp1024!<br>
>>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60<br>>>>> dpdtimeout=500<br>>>>><br>>>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89<br>>>>> leftnexthop=81.246.56.65 leftsubnet=<a href="http://192.168.16.0/24" target="_blank">192.168.16.0/24</a><br>
>>>> right=192.168.1.218 rightnexthop=192.168.1.1<br>>>>> rightsubnet=<a href="http://192.168.18.0/24" target="_blank">192.168.18.0/24</a><br>>>>><br>>>>> include /etc/ipsec.d/examples/no_oe.conf<br>
>>>><br>>>>> And here is my ipsec.secrets<br>>>>><br>>>>> <a href="http://81.246.56.89/" target="_blank">81.246.56.89</a>: PSK "SecretTunnelPass"<br>>>>><br>
>>>> I'm sorry, i don't have the cisco config right here but it's a<br>>>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128<br>>>>> and sha).<br>>>>><br>
>>>> In fact, the connection can be established but when i try to ping<br>>>>> the other end, the cisco fails claiming that he has no route for<br>>>>> the network connected to the strongswan....<br>
>>>><br>>>>> I really have no idea how to set it up, and i've been searching<br>>>>> for a very long time now :/<br>>>>><br>>>>> I anybody would have any idea, hints or anything, i'll greatly<br>
>>>> appreciate :)<br>>>>><br>>>>> Thanks a lot<br>>>>><br>>>>> François Van Ingelgom -- PCSOL<br>>>>><br>><br>> ======================================================================<br>
> Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>> strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>
> Institute for Internet Technologies and Applications<br>> University of Applied Sciences Rapperswil<br>> CH-8640 Rapperswil (Switzerland)<br>> ===========================================================[ITA-HSR]==<br>
<br><br><br><br><br>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</blockquote></div><br>