<HTML><HEAD></HEAD>
<BODY dir=ltr>
<DIV dir=ltr>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: 'Calibri'; COLOR: #000000">
<DIV>Dear All,</DIV>
<DIV> </DIV>
<DIV>I¡¯ve installed strongswan 4.6.4 (both pluto and charon enabled) on my
server (debian 6.0.8) and it works well with cisco vpn client 5.0.07.0410 on
WinXP (also with ios, android and win7). Recently I upgraded to 5.1.3 and
it works too with ios, android and win7 except for cisco vpn client.</DIV>
<DIV> </DIV>
<DIV>Follows the compiling configuration:</DIV>
<DIV>./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-unity
--enable-openssl --enable-md4 --enable-xauth-eap --enable-xauth-pam
--enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc
--enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius
--enable-eap-sim --enable-eap-sim-file --enable-eap-sim-pcsc
--enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql
--enable-eap-tls --enable-eap-tnc --enable-eap-ttls --enable-tools</DIV>
<DIV> </DIV>
<DIV>/etc/ipsec.conf:</DIV>
<DIV>config setup</DIV>
<DIV> #nat_traversal=yes</DIV>
<DIV> uniqueids=yes</DIV>
<DIV> charondebug="ike 2, mgr 2, net
2, enc 2" # this line doesn¡¯t work?</DIV>
<DIV> crlcheckinterval=10m</DIV>
<DIV> strictcrlpolicy=no</DIV>
<DIV> </DIV>
<DIV>ca vpnca</DIV>
<DIV> cacert=caCert.pem</DIV>
<DIV> crluri=crl.pem</DIV>
<DIV> auto=add</DIV>
<DIV> </DIV>
<DIV>conn %default</DIV>
<DIV> auto=add</DIV>
<DIV> left=%defaultroute</DIV>
<DIV> leftsubnet=0.0.0.0/0</DIV>
<DIV> right=%any</DIV>
<DIV> </DIV>
<DIV>conn ios</DIV>
<DIV> keyexchange=ikev1</DIV>
<DIV> authby=xauthpsk</DIV>
<DIV> xauth=server</DIV>
<DIV> #leftfirewall=yes</DIV>
<DIV> rightsubnet=10.11.0.0/24</DIV>
<DIV> rightsourceip=10.11.0.0/24</DIV>
<DIV> #dpddelay=30s</DIV>
<DIV> #dpdtimeout=120s</DIV>
<DIV> #dpdaction=clear</DIV>
<DIV> </DIV>
<DIV>conn win7&android</DIV>
<DIV> keyexchange=ikev2</DIV>
<DIV> ike=aes256-sha1-modp1024!</DIV>
<DIV> esp=aes256-sha1!</DIV>
<DIV> dpdaction=clear</DIV>
<DIV> dpddelay=300s</DIV>
<DIV> rekey=no</DIV>
<DIV> leftauth=pubkey</DIV>
<DIV> leftcert=serverCert.pem</DIV>
<DIV> leftid="C=CH, O=strongSwan,
CN=x.x.x.x"</DIV>
<DIV> rightsourceip=10.11.1.0/24</DIV>
<DIV> rightauth=eap-mschapv2</DIV>
<DIV> rightsendcert=never</DIV>
<DIV> eap_identity=%any</DIV>
<DIV> </DIV>
<DIV>conn cisco</DIV>
<DIV> keyexchange=ikev1</DIV>
<DIV> ike=aes256-sha1-modp1024!</DIV>
<DIV> esp=aes256-sha1!</DIV>
<DIV> dpdaction=clear</DIV>
<DIV> dpddelay=300s</DIV>
<DIV> rekey=no</DIV>
<DIV> leftauth=pubkey</DIV>
<DIV> leftcert=serverCert.pem</DIV>
<DIV> leftid="C=CH, O=strongSwan,
CN=x.x.x.x"</DIV>
<DIV> rightsourceip=10.11.2.0/24</DIV>
<DIV> ikelifetime=60m</DIV>
<DIV> keylife=20m</DIV>
<DIV> rekeymargin=3m</DIV>
<DIV> keyingtries=1</DIV>
<DIV> #type=tunnel</DIV>
<DIV> authby=xauthrsasig</DIV>
<DIV> xauth=server</DIV>
<DIV> #pfs=no</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>When I try to connect to server with cisco vpn client it returns the error
¡°412: The remote peer is no longer responding¡± and the following logs:</DIV>
<DIV>1 23:47:53.418 06/20/14
Sev=Info/4 CERT/0x63600015</DIV>
<DIV>Cert (cn=client,o=strongSwan,c=CH) verification succeeded.</DIV>
<DIV> </DIV>
<DIV>2 23:47:53.433 06/20/14
Sev=Info/4 CM/0x63100002</DIV>
<DIV>Begin connection process</DIV>
<DIV> </DIV>
<DIV>3 23:47:53.449 06/20/14
Sev=Info/4 CM/0x63100004</DIV>
<DIV>Establish secure connection</DIV>
<DIV> </DIV>
<DIV>4 23:47:53.449 06/20/14
Sev=Info/4 CM/0x63100024</DIV>
<DIV>Attempt connection with server "x.x.x.x"</DIV>
<DIV> </DIV>
<DIV>5 23:47:53.449 06/20/14
Sev=Info/4 IKE/0x63000001</DIV>
<DIV>Starting IKE Phase 1 Negotiation</DIV>
<DIV> </DIV>
<DIV>6 23:47:53.465 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag),
VID(Nat-T), VID(Unity)) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>7 23:47:53.543 06/20/14
Sev=Info/4 IKE/0x63000014</DIV>
<DIV>RECEIVING <<< ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T))
from x.x.x.x</DIV>
<DIV> </DIV>
<DIV>8 23:47:53.543 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?),
VID(Unity)) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>9 23:47:53.574 06/20/14
Sev=Info/4 IKE/0x63000014</DIV>
<DIV>RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from
x.x.x.x</DIV>
<DIV> </DIV>
<DIV>10 23:47:53.605 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>11 23:47:53.621 06/20/14
Sev=Info/4 IKE/0x63000084</DIV>
<DIV>Out of Order Packet Processing - Queuing a packet (Informational) received
out of order</DIV>
<DIV> </DIV>
<DIV>12 23:47:58.887 06/20/14
Sev=Info/4 IKE/0x63000021</DIV>
<DIV>Retransmitting last packet!</DIV>
<DIV> </DIV>
<DIV>13 23:47:58.887 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>14 23:48:03.887 06/20/14
Sev=Info/4 IKE/0x63000021</DIV>
<DIV>Retransmitting last packet!</DIV>
<DIV> </DIV>
<DIV>15 23:48:03.887 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>16 23:48:08.887 06/20/14
Sev=Info/4 IKE/0x63000021</DIV>
<DIV>Retransmitting last packet!</DIV>
<DIV> </DIV>
<DIV>17 23:48:08.887 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>18 23:48:13.887 06/20/14
Sev=Info/4 IKE/0x63000017</DIV>
<DIV>Marking IKE SA for deletion (I_Cookie=8B242615179718BE
R_Cookie=1BD7EDD3CABC3E02) reason = DEL_REASON_PEER_NOT_RESPONDING</DIV>
<DIV> </DIV>
<DIV>19 23:48:13.887 06/20/14
Sev=Info/4 IKE/0x63000013</DIV>
<DIV>SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x</DIV>
<DIV> </DIV>
<DIV>20 23:48:14.402 06/20/14
Sev=Info/4 IKE/0x6300004B</DIV>
<DIV>Discarding IKE SA negotiation (I_Cookie=8B242615179718BE
R_Cookie=1BD7EDD3CABC3E02) reason = DEL_REASON_PEER_NOT_RESPONDING</DIV>
<DIV> </DIV>
<DIV>21 23:48:14.402 06/20/14
Sev=Info/4 CM/0x63100014</DIV>
<DIV>Unable to establish Phase 1 SA with server "x.x.x.x" because of
"DEL_REASON_PEER_NOT_RESPONDING"</DIV>
<DIV> </DIV>
<DIV>22 23:48:14.418 06/20/14
Sev=Info/4 IKE/0x63000001</DIV>
<DIV>IKE received signal to terminate VPN connection</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>/var/log/auth.log:</DIV>
<DIV>...</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] parsed ID_PROT request 0 [ ID CERT
CERTREQ SIG N(INITIAL_CONTACT) ]</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[IKE] received cert request for 'C=CH,
O=strongSwan, CN=strongSwan CA'</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[IKE] received end entity cert "C=CH,
O=strongSwan, CN=client"</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[IKE] no peer config found</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[IKE] queueing INFORMATIONAL task</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[IKE] activating new tasks</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[IKE] activating
INFORMATIONAL task</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] added payload of type NOTIFY_V1 to
message</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] added payload of type NOTIFY_V1 to
message</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] generating INFORMATIONAL_V1 request
2841545593 [ HASH N(AUTH_FAILED) ]</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] insert payload HASH_V1 into
encrypted payload</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] insert payload NOTIFY_V1 into
encrypted payload</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] generating payload of type
HEADER</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] generating rule 0
IKE_SPI</DIV>
<DIV>Jun 21 11:50:45 debian6 charon: 14[ENC] generating rule 1
IKE_SPI</DIV>
<DIV>...</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Any recommendations would be really appreciated. Thanks in adv.</DIV>
<DIV> </DIV>
<DIV>B. Regards!</DIV>
<DIV>Quine</DIV>
<DIV>2014-6-21</DIV>
<DIV> </DIV></DIV></DIV></BODY></HTML>