[strongSwan] strongSwan 4.2.4 with Cisco VPN Concentrator 3000

Ralph ml+strongswan-user at dynaperl.de
Fri Jun 11 11:36:30 CEST 2010


Hello

I have a strange phenomenon by connecting strongSwan 4.2.4 with a Cisco 
VPN Concentrator 3000.

The connection description no the strongSwan side is:

> conn gw-cisco
>         authby=secret
>         ike=aes128-sha-modp1024
>         esp=aes128-sha1
>         pfs=no
>         #
>         ikelifetime=86400s
>         keylife=8h
>         #
 >	  left=<strongSwan-ip>
>         leftsubnet=192.168.144.0/23
>         #
>         right=<cisco-ip>
>         rightsubnet=10.10.10.0/24
>         auto=add

The cisco system has the OS-Version Version 4.7.2.H Jun 29 2006.

After initiating the tunnel from the strongSwan side I get the following 
error message in the phase 2 (Quick Mode) (plutodebug="crypt parsing 
emitting control klips private").

> Jun 11 09:26:23 gw pluto[25355]: | our client is subnet 192.0.0.0/18446744073709551615
> Jun 11 09:26:23 gw pluto[25355]: | our client protocol/port is 0/0
> Jun 11 09:26:23 gw pluto[25355]: "gw-cisco" #2: our client ID returned doesn't match my proposal
> Jun 11 09:26:23 gw pluto[25355]: "gw-cisco" #2: sending encrypted notification INVALID_ID_INFORMATION to <cisco-ip>:500

My understanding is that the other side (the cisco router) returned the 
wrong address 192.0.0.0/18446744073709551615 to me and i response with 
INVALID_ID_INFORMATION. Is this correct?

After changing the local subnet to 192.168.145.0/24 the tunnel is 
established successfully.

> Jun 11 10:50:23 gw pluto[26339]: | our client is subnet 192.168.145.0/24
> Jun 11 10:50:23 gw pluto[26339]: | our client protocol/port is 0/0
> Jun 11 10:50:23 gw pluto[26339]: | peer client is subnet 10.10.10.0/24
> Jun 11 10:50:23 gw pluto[26339]: | peer client protocol/port is 0/0

Have anybody some suggestion what the problem is?

regards
ralph




More information about the Users mailing list