<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
We did run into a problem with DH group -- they were using Group 1 and
we had to change it to Group 2.<br>
<br>
Here's my config, we're using ipsec v4.4.1 so I have pluto running, but
we have connection and a GRE tunnel:<br>
<br>
<blockquote><tt>config setup</tt><br>
<tt> plutodebug=control</tt><br>
<tt> #plutodebug=all</tt><br>
<tt> plutostart=yes</tt><br>
<tt> charondebug=control</tt><br>
<tt> charonstart=no</tt><br>
<tt> klipsdebug=all</tt><br>
<br>
<tt>conn %default</tt><br>
<tt> ikelifetime=86400s</tt><br>
<tt> keylife=3600s</tt><br>
<tt> rekeymargin=3m</tt><br>
<tt> keyingtries=1</tt><br>
<tt> keyexchange=ikev1</tt><br>
<tt> authby=secret</tt><br>
<tt> ike=3des-md5-modp1024</tt><br>
<tt> esp=3des-md5</tt><br>
<tt> pfs=no</tt><br>
<tt> type=tunnel</tt><br>
</blockquote>
I setup the %default because we need to go to multiple subnets on the
remote side (we don't have access to that router). The connections are:<br>
<br>
<br>
<blockquote><tt>conn cdl-gre</tt><br>
<tt> right=74.125.225.81</tt><br>
<tt> rightsubnet=10.50.254.1/32</tt><br>
<tt> rightprotoport=47/0</tt><br>
<tt> left=%defaultroute</tt><br>
<tt> #left=169.207.1.3</tt><br>
<tt> leftsubnet=10.50.0.42/32</tt><br>
<tt> leftsourceip=10.50.0.42</tt><br>
<tt> leftprotoport=47/0</tt><br>
<tt> leftfirewall=yes</tt><br>
<tt> auto=start</tt><br>
<br>
<tt>conn cdl-00</tt><br>
<tt> right=74.125.225.81</tt><br>
<tt> rightsubnet=10.31.70.0/24</tt><br>
<tt> left=%defaultroute</tt><br>
<tt> leftsubnet=10.50.42.0/24</tt><br>
<tt> auto=start</tt><br>
<br>
<tt>conn cdl-01</tt><br>
<tt> right=74.125.225.81</tt><br>
<tt> rightsubnet=10.31.71.0/24</tt><br>
<tt> left=%defaultroute</tt><br>
<tt> leftsubnet=10.50.42.0/24</tt><br>
<tt> auto=start</tt><br>
<br>
<tt>conn cdl-02</tt><br>
<tt> right=74.125.225.81</tt><br>
<tt> rightsubnet=10.31.172.0/24</tt><br>
<tt> left=%defaultroute</tt><br>
<tt> leftsubnet=10.50.42.0/24</tt><br>
<tt> auto=start</tt><br>
<br>
<tt>conn cme-03</tt><br>
<tt> right=74.125.225.81</tt><br>
<tt> rightsubnet=10.31.173.0/24</tt><br>
<tt> left=%defaultroute</tt><br>
<tt> leftsubnet=10.50.42.0/24</tt><br>
<tt> auto=start</tt><br>
</blockquote>
<br>
We're doing PSK, so in the ipsec.security we have:<br>
<br>
<blockquote><tt>169.207.1.3 74.125.225.81 : PSK "xxxPasswordHerexxx"<br>
</tt><br>
</blockquote>
The config on the Cisco side that they sent us is:<br>
<blockquote>
<p class="MsoNormal"><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: black;"><br>
<small><tt> !<br>
!<br>
crypto isakmp policy 1<br>
encr 3des<br>
hash md5<br>
authentication pre-share<br>
!<br>
!<br>
crypto ipsec transform-set cdlvpn esp-3des esp-md5-hmac<br>
!<br>
!<br>
crypto isakmp key xxxPasswordHerexxx address 169.207.1.3<br>
!<br>
crypto map cmevpn 47 ipsec-isakmp<br>
description CustomerData LLC (CERT01-1805)<br>
set peer 169.207.1.3<br>
set transform-set cdlvpn<br>
match address CERT01-1805<br>
!<br>
!<br>
ip access-list extended CERT01-1805<br>
permit ip 10.31.70.0 0.0.0.255 10.50.42.0 0.0.0.255<br>
permit ip 10.31.71.0 0.0.0.255 10.50.42.0 0.0.0.255<br>
permit ip 10.31.172.0 0.0.0.255 10.50.42.0 0.0.0.255<br>
permit ip 10.31.173.0 0.0.0.255 10.50.42.0 0.0.0.255<br>
permit gre host 10.50.254.1 host 10.50.0.42<br>
!<br>
!<br>
</tt></small><br>
<br>
</span><tt><span
style="font-size: 11pt; font-family: "Calibri","sans-serif"; color: black;"></span></tt></p>
</blockquote>
<br>
<br>
On 09/28/2012 06:31 AM, Neeraj Sharma wrote:
<blockquote cite="mid:SNT002-W161EB4DCD9D2D3EA2A986ED9820@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style>
<div dir="ltr">btw I am using StrongSwan 5.0.0<br>
<br>
-Neeraj<br>
<br>
<div>
<hr id="stopSpelling">From: <a class="moz-txt-link-abbreviated" href="mailto:kaju09@live.in">kaju09@live.in</a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:edk@cendatsys.com">edk@cendatsys.com</a>; <a class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
Date: Fri, 28 Sep 2012 16:58:53 +0530<br>
Subject: Re: [strongSwan] Cannot do IKEv1/PSK Main Mode in Cisco ASA
5510<br>
<br>
<style><!--
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:12pt;font-family:Calibri;}
--></style>
<div dir="ltr"># ipsec.conf<br>
<br>
config setup<br>
charondebug="dmn 1"<br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev1<br>
aggressive=no<br>
type=tunnel<br>
dpdaction=clear<br>
dpddelay=60s<br>
<br>
<br>
conn home<br>
left=%defaultroute<br>
xauth_identity=user<br>
leftid=@CiscoPSKCxnProfile<br>
xauth = client<br>
leftsourceip = %config<br>
leftauth=psk<br>
leftauth2=xauth<br>
leftfirewall=no<br>
right=111.222.333.444<br>
rightsubnet=192.168.0.0/16<br>
rightauth=psk<br>
ike=aes-sha-modp1024<br>
esp=aes-sha1-modp1024<br>
auto=start<br>
<br>
<br>
# the ipsec.secrets has the corresponding PSK and password for user<br>
<br>
Do let me know if you see an issues?<br>
<br>
-Neeraj<br>
<br>
<div>
<hr id="ecxstopSpelling">Subject: Re: [strongSwan] Cannot do
IKEv1/PSK Main Mode in Cisco ASA 5510<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:edk@cendatsys.com">edk@cendatsys.com</a><br>
Date: Thu, 27 Sep 2012 08:53:40 -0500<br>
To: <a class="moz-txt-link-abbreviated" href="mailto:kaju09@live.in">kaju09@live.in</a>; <a class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>
<br>
<style><!--
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:12pt;font-family:Calibri;}
--></style>I
just went through this same problem -- still struggling with routing
but seem to habe the connection.<br>
<br>
What's the Cisco config and you ipsec.conf?<br>
<br>
<div class="ecxgmail_quote">Neeraj Sharma <a class="moz-txt-link-rfc2396E" href="mailto:kaju09@live.in"><kaju09@live.in></a>
wrote:
<blockquote class="ecxgmail_quote" style="padding-left: 1ex;">
<div dir="ltr">I tried doing this a couple of times and did succeed
with configuring a StrongSwan client connecting to a Cisco ASA 5510 in
IKEv1/PSK Main Mode. What works at present is the IKEv1/PSK Aggressive
mode.<br>
<br>
I am no Cisco expert, so its possible (pointed by endre that it works
as well over freenode #strongswan) that I am missing a Cisco ASA
config. Any pointers (doc, etc) will be of great help.<br>
<br>
Thanks,<br>
Neeraj<br>
</div>
<pre
style="white-space: pre-wrap; word-wrap: break-word; font-family: sans-serif;"><hr>
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a moz-do-not-send="true"
href="https://lists.strongswan.org/mailman/listinfo/users"
target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
</div>
<br>
-- <br>
Sent from my Android phone with K-9 Mail. Please excuse my brevity.</div>
</div>
<br>
_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<div class="moz-signature">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
<link rel="important stylesheet"
href=<a class="moz-txt-link-rfc2396E" href="chrome://messagebody/skin/messageBody.css">"chrome://messagebody/skin/messageBody.css"</a>>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><o:p></o:p><span
style="color: rgb(31, 73, 125);">Edward King<o:p></o:p></span>
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Direct:
(414) 448-1308<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><img
style="width: 140px; height: 83px;" id="Picture_x0020_3"
src=<a class="moz-txt-link-rfc2396E" href="file:///home/edk/.icedove/image003.jpg">"file:///home/edk/.icedove/image003.jpg"</a>
alt=<a class="moz-txt-link-rfc2396E" href="cid:image001.jpg@01CB8FCE.EDA59D80">"cid:image001.jpg@01CB8FCE.EDA59D80"</a> height="83" width="140"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
N27 W23957 Paul Road, Suite 102<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
Pewaukee, WI 53072<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
p: 262-524-9290<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
f: 262-524-1555 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
w: <a href="<a class="moz-txt-link-abbreviated" href="http://www.cendatsys.com">www.cendatsys.com</a>"><span style="color: blue;"><a class="moz-txt-link-abbreviated" href="http://www.cendatsys.com">www.cendatsys.com</a></span></a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> Receive
useful computer user tips & tricks <a
href=<a class="moz-txt-link-rfc2396E" href="http://visitor.constantcontact.com/manage/optin/ea?v=001dbhkIZY57-Cz1d4xWGSOcg%3D%3D">"http://visitor.constantcontact.com/manage/optin/ea?v=001dbhkIZY57-Cz1d4xWGSOcg%3D%3D"</a>><span
style="color: blue;">here</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
</span><o:p></o:p></p>
<p class="MsoNormal"> <a
href=<a class="moz-txt-link-rfc2396E" href="https://www.facebook.com/CenturionDataSystems">"https://www.facebook.com/CenturionDataSystems"</a>><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_4" src=<a class="moz-txt-link-rfc2396E" href="file:///home/edk/.icedove/image004.png">"file:///home/edk/.icedove/image004.png"</a>
alt="facebook_0" border="0" height="48" width="48"></span></a> <a
href=<a class="moz-txt-link-rfc2396E" href="http://www.linkedin.com/company/565923">"http://www.linkedin.com/company/565923"</a>><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_5" src=<a class="moz-txt-link-rfc2396E" href="file:///home/edk/.icedove/image005.png">"file:///home/edk/.icedove/image005.png"</a>
alt="linkedin_0" border="0"></span></a> <a
href=<a class="moz-txt-link-rfc2396E" href="http://twitter.com/cendatsys">"http://twitter.com/cendatsys"</a>><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_6" src=<a class="moz-txt-link-rfc2396E" href="file:///home/edk/.icedove/image006.png">"file:///home/edk/.icedove/image006.png"</a>
alt="twitter_0" border="0"></span></a> <a
href=<a class="moz-txt-link-rfc2396E" href="http://centuriondatasystems.wordpress.com/">"http://centuriondatasystems.wordpress.com/"</a>><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_7" src=<a class="moz-txt-link-rfc2396E" href="file:///home/edk/.icedove/wordpress.png">"file:///home/edk/.icedove/wordpress.png"</a>
alt="wordpress-64px_0" border="0"></span></a> <a
href=<a class="moz-txt-link-rfc2396E" href="http://www.youtube.com/user/CenturionDataSystems">"http://www.youtube.com/user/CenturionDataSystems"</a>><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_8" src=<a class="moz-txt-link-rfc2396E" href="file:///home/edk/.icedove/youtube.png">"file:///home/edk/.icedove/youtube.png"</a>
alt="youtube_0" border="0"></span></a><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
</pre>
</body>
</html>