Hello!<br><br>I configured StrongSwan as a client to Cisco ASA gateway, but they can not establish the connection. ASA is configured to accept client connections based on certificates and Cisco vpn clients are able to connect. Since I need Linux client to connect to ASA, I would really appreciate your help. <br>
<br>002 "vpn" #3: initiating Main Mode<br>104 "vpn" #3: STATE_MAIN_I1: initiate<br>003 "vpn" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]<br>003 "vpn" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]<br>
002 "vpn" #3: enabling possible NAT-traversal with method RFC 3947<br>106 "vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2<br>003 "vpn" #3: ignoring Vendor ID payload [Cisco-Unity]<br>003 "vpn" #3: received Vendor ID payload [XAUTH]<br>
003 "vpn" #3: ignoring Vendor ID payload [938e6beb766dee4e3e9a9ca612bf9c0e]<br>003 "vpn" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]<br>003 "vpn" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed<br>
002 "vpn" #3: we have a cert and are sending it upon request<br>108 "vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3<br>003 "vpn" #3: received Vendor ID payload [Dead Peer Detection]<br>002 "vpn" #3: Peer ID is ID_DER_ASN1_DN: 'CN=ASA 5510'<br>
002 "vpn" #3: crl not found<br>002 "vpn" #3: certificate status unknown<br>002 "vpn" #3: crl not found<br>002 "vpn" #3: certificate status unknown<br>002 "vpn" #3: ISAKMP SA established<br>
004 "vpn" #3: STATE_MAIN_I4: ISAKMP SA established<br>002 "vpn" #3: parsing XAUTH request<br>002 "vpn" #3: sending XAUTH reply<br>120 "vpn" #3: STATE_XAUTH_I1: sent XAUTH reply, expecting status<br>
002 "vpn" #3: parsing XAUTH status<br>002 "vpn" #3: extended authentication was successful<br>002 "vpn" #3: sending XAUTH ack<br>002 "vpn" #3: sent XAUTH ack, established<br>004 "vpn" #3: STATE_XAUTH_I2: sent XAUTH ack, established<br>
002 "vpn" #3: sending ModeCfg request<br>002 "vpn" #3: parsing ModeCfg reply<br>002 "vpn" #3: setting virtual IP source address to 10.2.9.6<br>002 "vpn" #3: received ModeCfg reply, established<br>
004 "vpn" #3: STATE_MODE_CFG_I2: received ModeCfg reply, established<br>002 "vpn" #4: initiating Quick Mode ENCRYPT+TUNNEL+PFS+UP+XAUTHRSASIG {using isakmp#3}<br>112 "vpn" #4: STATE_QUICK_I1: initiate<br>
010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 20s for response<br>010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 40s for response<br>031 "vpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal<br>
<br>Here is my ipsec.conf:<br><br>config setup<br> plutodebug=all<br> # crlcheckinterval=600<br> # strictcrlpolicy=yes<br> # cachecrls=yes<br> nat_traversal=yes<br> plutostart=yes<br> charonstart=no<br>
plutostderrlog=/var/log/pluto.log<br><br>conn vpn<br> ike=aes-md5-modp1024<br> esp=aes-md5<br> left=%defaultroute<br> leftcert=laptop1.pem<br> leftsourceip=%modeconfig<br> modeconfig=pull<br> right=217.24.19.114<br>
rightid="CN=ASA 5510"<br> rightca=%same<br> authby=xauthrsasig<br> auto=add<br><br>Any suggestions?<br>