<div dir="ltr"><div>Hi<br><br><br>I have the following configuration on a ubuntu-14.x machine and iam trying to connect using a Cisco-VPN-Client-v5.x (the ipsec only client)<br><br>and iam unable to get it to work now on the strongswan-v5.3.0 server (below)<br><br><br>Iam getting the below errors as seen in the foreground output<br><br>where am i going wrong and why is this not connecting<br><br>iam using psk with group-name on the cisco-vpn-client<br><br>This server config is supposed to cater to other cisco-clients too, such as
the RV3XX/RV2xx/Rv1xx-series routers which have a Ezvpn client and also cisco-800
series routers<br>configured as clients to this server<br><br>please please please help. I thought this was a working config. Am i missing something?<br><br>On the server - strongswan-v5.3.0<br>============================================<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>root@suram-OptiPlex-7010:/usr/local/etc# cat ipsec.conf<br># /etc/ipsec.conf - strongSwan IPsec configuration file<br><br>config setup<br> strictcrlpolicy=no<br> charondebug="ike 3, dmn 2, chd 3, knl 2, cfg 2, net 2, esp 2"<br><br>conn %default<br> ikelifetime=24h<br> keylife=18h<br> mobike=no<br><br>conn groupName1<br> aggressive=yes<br> left=2.2.2.5<br> leftsubnet=<a href="http://192.168.25.0/24,192.168.22.0/24">192.168.25.0/24,192.168.22.0/24</a><br> right=%any<br> leftid=2.2.2.5<br> rightid=@group1<br> rightsourceip=<a href="http://10.9.9.0/24">10.9.9.0/24</a><br> leftauth=psk<br> rightauth=psk<br> rightauth2=xauth<br> type=tunnel<br> keyexchange=ikev1<br> ike=3des-sha1-modp1024<br> esp=3des-sha1<br> xauth=server<br> auto=add<br>root@suram-OptiPlex-7010:/usr/local/etc# cat ipsec.secrets<br>#/etc/ipsec.secrets - strongSwan IPsec secrets file<br>2.2.2.5 group1 : PSK "123456789"<br>user1 : XAUTH "config123"<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>=================================================================<br></div><div><br></div><div>I need to use PSK based auth (with aggressive-mode) for many of the cisco clients being used in my organization...hence cannot avoid the use of PSK/Xauth/Aggressive combination...<br><br></div><div>======================================================<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>root@suram-OptiPlex-7010:/usr/local/etc# ipsec start --nofork<br>Starting weakSwan 5.3.0 IPsec [starter]...<br>00[DMN] Starting IKE charon daemon (strongSwan 5.3.0, Linux 3.11.0-26-generic, x86_64)<br>00[KNL] known interfaces and IP addresses:<br>00[KNL] lo<br>00[KNL] 127.0.0.1<br>00[KNL] ::1<br>00[KNL] eth0<br>00[KNL] 2.2.2.5<br>00[KNL] fe80::20a:f7ff:fe69:1029<br>00[KNL] eth1<br>00[KNL] 192.168.25.1<br>00[KNL] fe80::20a:f7ff:fe69:1082<br>00[KNL] eth2<br>00[KNL] 10.232.90.125<br>00[KNL] fe80::3617:ebff:fec0:267c<br>00[KNL] virbr0<br>00[KNL] 192.168.122.1<br>00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'<br>00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'<br>00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'<br>00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'<br>00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'<br>00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'<br>00[CFG] loaded IKE secret for 2.2.2.5 group1<br>00[CFG] loaded EAP secret for user1<br>00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory<br>00[CFG] loaded 0 RADIUS server configurations<br>00[LIB] loaded plugins: charon aes des blowfish rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-simaka-pseudonym eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-noauth tnc-tnccs dhcp lookip error-notify unity<br>00[JOB] spawning 16 worker threads<br>03[NET] waiting for data on sockets<br>charon (4206) started after 20 ms<br>02[CFG] received stroke: add connection 'groupName1'<br>02[CFG] conn groupName1<br>02[CFG] left=2.2.2.5<br>02[CFG] leftsubnet=<a href="http://192.168.25.0/24,192.168.22.0/24">192.168.25.0/24,192.168.22.0/24</a><br>02[CFG] leftauth=psk<br>02[CFG] leftid=2.2.2.5<br>02[CFG] right=%any<br>02[CFG] rightsourceip=<a href="http://10.9.9.0/24">10.9.9.0/24</a><br>02[CFG] rightauth=psk<br>02[CFG] rightauth2=xauth<br>02[CFG] rightid=@group1<br>02[CFG] ike=3des-sha1-modp1024<br>02[CFG] esp=3des-sha1<br>02[CFG] dpddelay=30<br>02[CFG] dpdtimeout=150<br>02[CFG] mediation=no<br>02[CFG] keyexchange=ikev1<br>02[CFG] adding virtual IP address pool <a href="http://10.9.9.0/24">10.9.9.0/24</a><br>02[CFG] added configuration 'groupName1'<br>03[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500]<br>03[NET] waiting for data on sockets<br>08[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500] (822 bytes)<br>08[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]<br>08[CFG] looking for an ike config for 2.2.2.5...172.29.1.31<br>08[CFG] candidate: 2.2.2.5...%any, prio 1052<br>08[CFG] found matching ike config: 2.2.2.5...%any with prio 1052<br>08[IKE] received XAuth vendor ID<br>08[IKE] received DPD vendor ID<br>08[IKE] received Cisco Unity vendor ID<br>08[IKE] 172.29.1.31 is initiating a Aggressive Mode IKE_SA<br>08[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>08[CFG] selecting proposal:<br>08[CFG] proposal matches<br>08[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024<br>08[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP<br>08[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>08[CFG] looking for XAuthInitPSK peer configs matching 2.2.2.5...172.29.1.31[group1]<br>08[IKE] no peer config found<br>08[IKE] queueing INFORMATIONAL task<br>08[IKE] activating new tasks<br>08[IKE] activating INFORMATIONAL task<br>08[ENC] generating INFORMATIONAL_V1 request 1361888392 [ N(AUTH_FAILED) ]<br>08[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044] (56 bytes)<br>08[IKE] IKE_SA (unnamed)[1] state change: CONNECTING => DESTROYING<br>15[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044]<br>03[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500]<br>03[NET] waiting for data on sockets<br>02[NET] received packet: from 172.29.1.31[57044] to 2.2.2.5[500] (822 bytes)<br>02[ENC] parsed AGGRESSIVE request 0 [ SA KE No ID V V V ]<br>02[CFG] looking for an ike config for 2.2.2.5...172.29.1.31<br>02[CFG] candidate: 2.2.2.5...%any, prio 1052<br>02[CFG] found matching ike config: 2.2.2.5...%any with prio 1052<br>02[IKE] received XAuth vendor ID<br>02[IKE] received DPD vendor ID<br>02[IKE] received Cisco Unity vendor ID<br>02[IKE] 172.29.1.31 is initiating a Aggressive Mode IKE_SA<br>02[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] no acceptable ENCRYPTION_ALGORITHM found<br>02[CFG] selecting proposal:<br>02[CFG] proposal matches<br>02[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024<br>02[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CTR_128/CAMELLIA_CTR_192/CAMELLIA_CTR_256/HMAC_MD5_96/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP, IKE:AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/CAMELLIA_CCM_8_128/CAMELLIA_CCM_8_192/CAMELLIA_CCM_8_256/CAMELLIA_CCM_12_128/CAMELLIA_CCM_12_192/CAMELLIA_CCM_12_256/CAMELLIA_CCM_16_128/CAMELLIA_CCM_16_192/CAMELLIA_CCM_16_256/PRF_HMAC_MD5/PRF_HMAC_SHA1/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/MODP_2048/MODP_2048_224/MODP_2048_256/MODP_1536/MODP_3072/MODP_4096/MODP_8192/MODP_1024/MODP_1024_160/ECP_256/ECP_384/ECP_521/ECP_224/ECP_192/ECP_224_BP/ECP_256_BP/ECP_384_BP/ECP_512_BP<br>02[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<br>02[CFG] looking for XAuthInitPSK peer configs matching 2.2.2.5...172.29.1.31[group1]<br>02[IKE] no peer config found<br>02[IKE] queueing INFORMATIONAL task<br>02[IKE] activating new tasks<br>02[IKE] activating INFORMATIONAL task<br>02[ENC] generating INFORMATIONAL_V1 request 4035822289 [ N(AUTH_FAILED) ]<br>02[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044] (56 bytes)<br>02[IKE] IKE_SA (unnamed)[2] state change: CONNECTING => DESTROYING<br>15[NET] sending packet: from 2.2.2.5[500] to 172.29.1.31[57044]<br>^C00[DMN] signal of type SIGINT received. Shutting down<br>charon stopped after 200 ms<br>ipsec starter stopped<br>root@suram-OptiPlex-7010:/usr/local/etc#<br>=======================================<br><br></div><div>Can you please help. This is a critical requirement for me to setup this up<br><br></div><div>I tried with other combinations for leftid (the rightid has to be groupname only used by all the remote cisco clients), but nothing seems to be working. Please help<br><br></div><div>regards<br></div><div>rajiv<br><br></div><div><br></div><div><br></div></div>