<div dir="ltr">Hi<br><br>I was trying to bring up an IPSec connection between strongswan 5.0.1 and cisco, but I was not successful. Only phase 1 established. I paste the configuration below. please help me find my mistake.<br>
<br>By the way, I read below text in <a href="http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1">strongswan.org</a>. it seems the only way is using XAUTH. am I right?<br><br>"IKEv1 Mode Config Push Mode is not implemented yet. This might be an issue with Cisco Access Concentrators which usually force Mode Config Push Mode in the absence of XAUTH-based authentication."<br>
<br>Thanks in advance<div>Ali<br><div><br><br><b>Strongswan 5.0.1 Configuration:</b><br><br>config setup<br> uniqueids="no"<br> strictcrlpolicy="no"<br><br>conn %default<br> keyingtries="%forever"<br>
leftsendcert="always"<br><br>conn Tunnel_1<br> authby="psk"<br> auto="start"<br> type="tunnel"<br> compress="no"<br> rekeymargin="540s"<br>
left="10.132.154.157"<br> leftsubnet="<a href="http://10.132.154.152/29">10.132.154.152/29</a>"<br> right="10.132.154.158"<br> rightsubnet="<a href="http://10.132.219.70/32">10.132.219.70/32</a>"<br>
ike="3des-md5-modp1024"<br> esp="3des-md5-modp1024"<br> #modeconfig = "push"<br> ikelifetime="86400"<br> keylife="86400"<br> keyexchange="ikev1"<br>
<br><b>ipsec.secrets:</b><br><br>10.132.154.157 10.132.154.158 : PSK "XXXXXXXXXX"<br><br>-------------------------------------------------------------------------------<br><br><b>Cisco configuration:</b></div><div>
<br>crypto isakmp key XXXXXXXXXX address 10.132.154.157<br><br>crypto ipsec transform-set vpn_TS2 esp-3des esp-md5-hmac<br><br>crypto isakmp policy 2<br>encr 3des<br>hash md5<br>authentication pre-share<br>group 2<br><br>
<br>crypto map Company1 2 ipsec-isakmp<br>description connected Company1<br>set peer 10.132.154.157<br>set security-association lifetime seconds 86400<br>set transform-set vpn_TS2<br>set pfs group2<br>match address Company1<br>
<br>ip access-list extended Company1<br>permit ip host 10.132.154.153 host 10.132.219.70<br>permit ip host 10.132.154.154 host 10.132.219.70<br>permit ip host 10.132.154.155 host 10.132.219.70<br>permit ip host 10.132.154.156 host 10.132.219.70<br>
<br><br>---------------------------------------------------------------------------------<br><br><b>"ipsec status" output:</b><br><br>Security Associations (2 up, 0 connecting):<br>Tunnel_1[8]: ESTABLISHED 17 hours ago, 10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]<br>
<br><br>"<b>ipsec up Tunnel_1" output:</b><br><br><br>initiating Main Mode IKE_SA Tunnel_1[10] to 10.132.154.158<br>generating ID_PROT request 0 [ SA V V V ]<br>sending packet: from 10.132.154.157[500] to 10.132.154.158[500]<br>
received packet: from 10.132.154.158[500] to 10.132.154.157[500]<br>parsed ID_PROT response 0 [ SA ]<br>generating ID_PROT request 0 [ KE No ]<br>sending packet: from 10.132.154.157[500] to 10.132.154.158[500]<br>received packet: from 10.132.154.158[500] to 10.132.154.157[500]<br>
parsed ID_PROT response 0 [ KE No V V V V ]<br>generating ID_PROT request 0 [ ID HASH ]<br>sending packet: from 10.132.154.157[500] to 10.132.154.158[500]<br>received packet: from 10.132.154.158[500] to 10.132.154.157[500]<br>
parsed ID_PROT response 0 [ ID HASH ]<br>IKE_SA Tunnel_1[10] established between 10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]<br>scheduling reauthentication in 85675s<br>maximum IKE_SA lifetime 86215s<br>
generating QUICK_MODE request 714104555 [ HASH SA No ID ID ]<br>sending packet: from 10.132.154.157[500] to 10.132.154.158[500]<br>received packet: from 10.132.154.158[500] to 10.132.154.157[500]<br>parsed INFORMATIONAL_V1 request 86997070 [ HASH N(NO_PROP) ]<br>
received <b>NO_PROPOSAL_CHOSEN</b> error notify</div></div></div>