<div dir="ltr">Hi,<div><br></div><div>Yes, I do had a similar problem, the solution is creating a crypto-map on the cisco config compliant with linux IPSEC standard.</div><div>There are lots of tutorials explaining it on the net.</div>
<div>I would have sent some sample lines but do not have it available right now.</div><div><br></div><div>Best Regards,</div><div><br></div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/12/5 Sergio Samayoa <span dir="ltr"><<a href="mailto:sergiosamayoa@icon.com.gt" target="_blank">sergiosamayoa@icon.com.gt</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi.<div><br></div><div>I have a problem connecting from Strongswan 5.1.1 to Cisco ASA 5520:</div><div><br>
</div><div>In the Cisco (B) side there are a acl list controlling to which hosts Strong Swang (A) side can access.<br>
</div><div><br></div><div>This is the Cisco configuration:</div><div><br></div><div><div>tunnel-group X.X.X.X type ipsec-l2l</div><div>tunnel-group X.X.X.X ipsec-attributes</div><div>pre-shared-key ******</div></div><div>
<br></div><div><div>crypto map Tunel 170 match address PREDICTIBILIDAD</div><div>crypto map Tunel 170 set peer X.X.X.X</div><div>crypto map Tunel 170 set transform-set TEMM10</div><div>crypto map Tunel 170 set pfs group2</div>
</div><div><br></div><div><div>access-list PREDICTIBILIDAD extended permit ip host 10.225.230.212 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.225.207.77 host 172.255.255.78</div><div>
access-list PREDICTIBILIDAD extended permit ip host 10.225.240.20 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.2.81.168 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.216.15.145 host 172.255.255.78</div>
<div>access-list PREDICTIBILIDAD extended permit ip host 10.216.15.201 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.216.15.210 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.216.15.135 host 172.255.255.78</div>
<div>access-list PREDICTIBILIDAD extended permit ip host 10.2.81.187 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.225.173.177 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.225.136.9 host 172.255.255.78</div>
<div>access-list PREDICTIBILIDAD extended permit ip host 10.225.173.178 host 172.255.255.78</div><div>access-list PREDICTIBILIDAD extended permit ip host 10.15.122.237 host 172.255.255.78</div></div><div><br></div><div>Strong Swan config:</div>
<div><div><br></div><div><div>conn TELEFONICAMX </div><div> ikelifetime=28800s </div><div> keylife=20m </div><div> rekeymargin=3m </div><div> keyexchange=ikev1</div><div> authby=secret </div>
<div> ike=3des-md5-modp1024</div><div> esp=3des-md5-modp1024</div><div> left=X.X.X.X</div><div> leftid=X.X.X.X</div><div> leftfirewall=yes <br></div><div> right=Y.Y.Y.Y</div><div>
rightid=Y.Y.Y.Y</div><div> auto=add rightsubnet=10.225.230.212,10.225.207.77,10.225.240.20,10.2.81.168,10.216.15.145,10.216.15.201,10.216.15.210,10.216.15.135,10.2.81.187,10.225.173.177,10.225.136.9,10.225.173.178,10.15.122.237</div>
</div><div><br></div><div>Strong Swan was compiled with unity enabled.</div><div><br></div><div>When I try up the connection I got this:</div><div><br></div><div><div>root@vpn-tmmx:/usr/local/etc# ipsec up TELEFONICAMX</div>
<div>initiating Main Mode IKE_SA TELEFONICAMX[2] to Y.Y.Y.Y</div><div>generating ID_PROT request 0 [ SA V V V V ]</div><div>sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (184 bytes)</div><div>received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (104 bytes)</div>
<div>parsed ID_PROT response 0 [ SA V ]</div><div>received FRAGMENTATION vendor ID</div><div>generating ID_PROT request 0 [ KE No ]</div><div>sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (196 bytes)</div><div>received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (256 bytes)</div>
<div>parsed ID_PROT response 0 [ KE No V V V V ]</div><div>received Cisco Unity vendor ID</div><div>received XAuth vendor ID</div><div>received unknown vendor ID: 5f:03:43:5c:a7:b9:51:2d:a5:40:d3:91:67:d0:7a:7c</div><div>
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00</div><div>generating ID_PROT request 0 [ ID HASH ]</div><div>sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (68 bytes)</div><div>received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (84 bytes)</div>
<div>parsed ID_PROT response 0 [ ID HASH V ]</div><div>received DPD vendor ID</div><div>IKE_SA TELEFONICAMX[2] established between X.X.X.X[X.X.X.X]...Y.Y.Y.Y[Y.Y.Y.Y]</div><div>scheduling reauthentication in 28564s</div>
<div>
maximum IKE_SA lifetime 28744s</div><div>generating QUICK_MODE request 812470083 [ HASH SA No KE ID ID ]</div><div>sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (300 bytes)</div><div>received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (348 bytes)</div>
<div>parsed INFORMATIONAL_V1 request 2160602061 [ HASH N(INVAL_ID) ]</div><div>received INVALID_ID_INFORMATION error notify</div><div>establishing connection 'TELEFONICAMX' failed</div></div><div><br></div><div>Phase 1 is completed but Cisco side drops the connection.</div>
<div>This are the Cisco log entries:</div><div><br></div><div><div>Dec 4 21:09:28 [X] Dec 04 2013 22:16:54: %ASA-4-113019: Group = X.X.X.X, Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: IKE, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy not found</div>
<div>Dec 4 21:09:27 [] Dec 04 2013 22:16:54: %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = X.X.X.X</div><div>Dec 4 21:09:27 [1] Dec 04 2013 22:16:54: %ASA-5-713119: Group = 200.35.187.146, IP = X.X.X.X, PHASE 1 COMPLETED</div>
<div>Dec 4 21:09:28 [] Dec 04 2013 22:16:54: %ASA-3-713061: Group = X.X.X.X, IP = X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy <a href="http://172.255.255.78/255.255.255.255/0/0" target="_blank">172.255.255.78/255.255.255.255/0/0</a> local proxy <a href="http://0.0.0.0/0.0.0.0/0/0" target="_blank">0.0.0.0/0.0.0.0/0/0</a> on interface outside</div>
</div><div><br></div><div>Shouldn't Strong Swan send the rightsunet to Cisco to match the crypto policy?</div><div><br></div><div>Someone faced a similar problem?</div><div><br></div><div>BTW we can't change Cisco side.</div>
<div><br></div><div>Regards.</div><div><br></div><div dir="ltr"></div>
</div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br>Gomes do Vale Victor<br>
Ingénieur Systèmes, Réseaux et Securité<br>
</div>