<div dir="ltr">I have done quite a bit of searching and playing around and I am still stuck with this issue. Trying to see if I can get some help here. Thanks in advance. I have posted this to StackOverFlow so the link is here.<div><br></div><div><a href="http://stackoverflow.com/questions/42212151/moving-from-openswan-to-strongswan-authentication-failed-notify-error">http://stackoverflow.com/questions/42212151/moving-from-openswan-to-strongswan-authentication-failed-notify-error</a></div><div><br></div><div><br></div><div><br></div><div><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;color:rgb(36,39,41);font-family:arial,"helvetica neue",helvetica,sans-serif">I am converting a site from OpenSWAN to StrongSWAN. My Peer is a Cisco ASA device, not sure of the model etc. The tunnel was up and running fine between OpenSWAN and Cisco. We want to move to StrongSWAN (another story why we are moving). I removed OpenSWAN and installed StrongSWAN (on Ubuntu) was super easy. converted the ipsec.conf to StrongSWAN requirements. When I start the tunnel i get "received AUTHENTICATION_FAILED notify error" error. Same parameters worked for OpenSWAN so Ii thought this should be an easy move. I dont have access to the Cisco ASA as it is our partners. I have opened a ticket with them to help me but that ticket is in the queue. Was wondering if anybody can shed some light on this problem.</p><pre style="margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-size:13px;width:auto;max-height:600px;overflow:auto;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;background-color:rgb(239,240,241);word-wrap:normal;color:rgb(36,39,41)"><code style="margin:0px;padding:0px;border:0px;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;white-space:inherit">root@ip-10-0-0-33:/home/deploy# ipsec up Baptist
initiating IKE_SA Baptist[1652] to 50.xx.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.0.33[500] to 50.xx.xx.xx[500] (1000 bytes)
received packet: from 50.xx.xx.xx[500] to 10.0.0.33[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_1024, it requested ECP_521
initiating IKE_SA Baptist[1652] to 50.xx.xx.xx
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.0.33[500] to 50.xx.xx.xx[500] (1004 bytes)
received packet: from 50.xx.xx.xx[500] to 10.0.0.33[500] (506 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ V ]
local host is behind NAT, sending keep alives
received 2 cert requests for an unknown ca
authentication of '52.34.130.137' (myself) with pre-shared key
establishing CHILD_SA Baptist
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.0.0.33[4500] to 50.xx.xx.xx[4500] (576 bytes)
received packet: from 50.xx.xx.xx[4500] to 10.0.0.33[4500] (96 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'Baptist' failed
</code></pre><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;color:rgb(36,39,41);font-family:arial,"helvetica neue",helvetica,sans-serif">Here is my config file</p><pre style="margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-size:13px;width:auto;max-height:600px;overflow:auto;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;background-color:rgb(239,240,241);word-wrap:normal;color:rgb(36,39,41)"><code style="margin:0px;padding:0px;border:0px;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;white-space:inherit">config setup
strictcrlpolicy=no
charondebug=all
conn %default
left=%any
ikelifetime=86400s
keylife=28800s
authby=secret
keyexchange=ike
conn Baptist
left=10.0.0.33
leftsourceip=10.0.0.33
leftid=52.XX.XX.XX
leftsubnet=<a href="http://10.0.0.33/32">10.0.0.33/32</a>
eap_identity=52.XX.XX.XX
right=50.YY.YY.YY
rightsubnet=<a href="http://10.17.10.66/32,10.13.210.2/32">10.17.10.66/32,10.13.210.2/32</a>
auto=start
ike=aes256-sha1-mod1024
esp=aes256-sha1-mod1024
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
</code></pre><p style="margin:0px 0px 1em;padding:0px;border:0px;font-size:15px;clear:both;color:rgb(36,39,41);font-family:arial,"helvetica neue",helvetica,sans-serif"><strong style="margin:0px;padding:0px;border:0px">EDIT</strong>: My original OpenSWAN config file is below. BTW: I tried ike1, ike2 with StrongSWAN with same effect.</p><pre style="margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-size:13px;width:auto;max-height:600px;overflow:auto;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;background-color:rgb(239,240,241);word-wrap:normal;color:rgb(36,39,41)"><code style="margin:0px;padding:0px;border:0px;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;white-space:inherit">conn Baptist
type=tunnel
authby=secret
auto=start
forceencaps=yes
left=%defaultroute
leftid=52.XX.XX.XX
#leftsourceip=10.1.200.19
#leftsourceip=52.XX.XX.XX
leftsourceip=10.0.0.33
leftsubnets={<a href="http://10.0.0.33/32">10.0.0.33/32</a>}
right=50.YY.YY.YY
rightid=50.YY.YY.YY
rightsubnets=<a href="http://10.17.10.66/32,10.13.210.2/32">10.17.10.66/32,10.13.210.2/32</a>
ikelifetime=86400s
keylife=28800s
keyexchange=ike
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1
pfs=no
dpddelay=30
dpdtimeout=120
dpdaction=restart</code></pre><div><div class="gmail_signature">-maqbool</div></div>
</div></div>