[strongSwan] Connection to Cisco not passing Main Mode

Stuart Beckett SRBeckett at teamfishel.com
Fri Aug 6 18:59:08 CEST 2010 

Hello,
 
We are attempting to connect to a Customer, whom will not change their device, it is a Cisco, and their config is the following:
 
IKE Policies (DO NOT MODIFY)
Parameter ------------------------- Value
Message encryption algorithm ------- Triple-DES
Message integrity (hash) algorithm --- SHA
Peer authentication method ---------- Preshared key 
Key exchange parameters ----------- Group 2 (1024-bit)- (Diffie-Hellman group identifier and Perfect Forward Secrecy Group)
ISAKMP established securityassociations lifetime ------------------ 86400 seconds
 
IPSec Parameters (DO NOT MODIFY)
Parameter ----------------------------- Value
Security-association (SA) establishment - ipsec-isakmp 
(IKE)IPSec Mode ---------------------------- Tunnel
Mechanism for payload ----------------- ESP
ESP transform -------------------------- ESP-3DES
Hashed Message Authentication Code -- ESP-SHA-HMAC
Security-association (SA) lifetime ------- 3600 seconds (1hr)
We have agreed on a pre-shared key (PSK), it is in the ipsec.secrets file.
 
My side is as follows:
 
---- ipsec.conf
config setup
 plutodebug=control
 # crlcheckinterval=600
 # strictcrlpolicy=yes
 # cachecrls=yes
 # nat_traversal=yes
 # charonstart=no
 # plutostart=no
 
# Add connections here.
 
conn %default
 left=71.5.36.91
 
conn one
 ## Basic settings
 type=tunnel
 auto=start
 rekey=yes
 mobike=no
 authby=psk
 ## Diffie-Helman group 2 (1024 bits)
 pfs=yes
 ## IKE settings
 # required: 3DES, SHA, DH Group 2 (1024 bits)
 # required: Key lifetime 86400s
 ike=3des-sha-modp1024
 ikelifetime=86400s
 ## ESP settings
 # required: ESP-3DES, ESP-SHA-HMAC
 # required: SA lifetime 3600s
 esp=3des-sha
        keylife=3600s
 ## Host info
 leftsubnet=204.153.6.0/24
 right=144.168.7.164
 rightsubnet=144.151.202.0/24
 
--- ipsec.secrets
# First connection
71.5.36.91 144.168.7.164: PSK "testFirst"
 
--- ipsec statusall
000 interface lo/lo 127.0.0.1:500
000 interface lo/lo 127.0.0.2:500
000 interface eth0/eth0 10.195.1.249:500
000 interface eth1/eth1 71.5.36.91:500
000 interface eth2/eth2 204.153.6.1:500
000 %myid = (none)
000 debug control
000 
000 "one": 204.153.6.0/24===71.5.36.91...144.168.7.164===144.151.202.0/24; unrouted; eroute owner: #0
000 "one":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "one":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; 
000 "one":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "one":   IKE algorithms wanted: 5_000-2-2, 
000 "one":   IKE algorithms found:  5_192-2_160-2, 
000 "one":   ESP algorithms wanted: 3_000-2, 
000 "one":   ESP algorithms loaded: 3_192-2_160, 
000 
000 #1: "one" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 14s
000 #1: pending Phase 2 for "att" replacing #0
000 
Performance:
  worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0
Listening IP addresses:
  10.195.1.249
  71.5.36.91
  204.153.6.1
Connections:
 
So, there is something that is not talking.  I have turned off the firewall on this box for this testing. So for my side that is not an issue. A packet capture shows only one packet going in each direction.  The one coming from them is a NO-PROPOSAL-CHOSEN.  
 
The algorithms statement in the 'ipsec statusall' bothers me also.
 
Can anyone provide any assistance?
 
Thanks
 
Stuart Beckett
 
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100806/17f1ff45/attachment.html>

More information about the Users mailing list