[strongSwan] Connection to Cisco not passing Main Mode

Fri Aug 6 20:42:31 CEST 2010

Hello Stuart,

could you add leftnexthop = %defaultroute

Regards

Andreas

On 08/06/2010 06:59 PM, Stuart Beckett wrote:
> Hello,
> We are attempting to connect to a Customer, whom will not change their
> device, it is a Cisco, and their config is the following:
> IKE Policies (DO NOT MODIFY)
> Parameter ------------------------- Value
> Message encryption algorithm ------- Triple-DES
> Message integrity (hash) algorithm --- SHA
> Peer authentication method ---------- Preshared key
> Key exchange parameters ----------- Group 2 (1024-bit)- (Diffie-Hellman
> group identifier and Perfect Forward Secrecy Group)
> ISAKMP established securityassociations lifetime ------------------
> 86400 seconds
> IPSec Parameters (DO NOT MODIFY)
> Parameter ----------------------------- Value
> Security-association (SA) establishment - ipsec-isakmp
> (IKE)IPSec Mode ---------------------------- Tunnel
> Mechanism for payload ----------------- ESP
> ESP transform -------------------------- ESP-3DES
> Hashed Message Authentication Code -- ESP-SHA-HMAC
> Security-association (SA) lifetime ------- 3600 seconds (1hr)
> We have agreed on a pre-shared key (PSK), it is in the ipsec.secrets file.
> My side is as follows:
> ---- ipsec.conf
> config setup
> plutodebug=control
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> # nat_traversal=yes
> # charonstart=no
> # plutostart=no
> # Add connections here.
> conn Þfault
> left=71.5.36.91
>
> conn one
> ## Basic settings
> type=tunnel
> auto=start
> rekey=yes
> mobike=no
> authby=psk
> ## Diffie-Helman group 2 (1024 bits)
> pfs=yes
> ## IKE settings
> # required: 3DES, SHA, DH Group 2 (1024 bits)
> # required: Key lifetime 86400s
> ike=3des-sha-modp1024
> ikelifetime=86400s
> ## ESP settings
> # required: ESP-3DES, ESP-SHA-HMAC
> # required: SA lifetime 3600s
> esp=3des-sha
> keylife=3600s
> ## Host info
> leftsubnet=204.153.6.0/24
> right=144.168.7.164
> rightsubnet=144.151.202.0/24
> --- ipsec.secrets
> # First connection
> 71.5.36.91 144.168.7.164: PSK "testFirst"
> --- ipsec statusall
> 000 interface lo/lo 127.0.0.1:500
> 000 interface lo/lo 127.0.0.2:500
> 000 interface eth0/eth0 10.195.1.249:500
> 000 interface eth1/eth1 71.5.36.91:500
> 000 interface eth2/eth2 204.153.6.1:500
> 000 %myid = (none)
> 000 debug control
> 000
> 000 "one":
> 204.153.6.0/24===71.5.36.91...144.168.7.164===144.151.202.0/24;
> unrouted; eroute owner: #0
> 000 "one": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 3
> 000 "one": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1;
> 000 "one": newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "one": IKE algorithms wanted: 5_000-2-2,
> 000 "one": IKE algorithms found: 5_192-2_160-2,
> 000 "one": ESP algorithms wanted: 3_000-2,
> 000 "one": ESP algorithms loaded: 3_192-2_160,
> 000
> 000 #1: "one" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT
> in 14s
> 000 #1: pending Phase 2 for "att" replacing #0
> 000
> Performance:
> worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0
> Listening IP addresses:
> 10.195.1.249
> 71.5.36.91
> 204.153.6.1
> Connections:
> So, there is something that is not talking. I have turned off the
> firewall on this box for this testing. So for my side that is not an
> issue. A packet capture shows only one packet going in each direction.
> The one coming from them is a NO-PROPOSAL-CHOSEN.
> The algorithms statement in the 'ipsec statusall' bothers me also.
> Can anyone provide any assistance?
> Thanks
> Stuart Beckett

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==