[strongSwan] StrongSWAN <-> Cisco router IOS 12.4
François Van Ingelgom
francois.vaningelgom at pcsol.be
Wed May 12 15:18:11 CEST 2010
Hi andreas!
I've recreated my setup and, this time, i'm not even able to establish the tunnel.
On the cisco it fails with error: "Notify has no hash. Rejected."
I've attached the debug output of every device.
I really have no idea how to sort it up and google is not a so good friend today :)
Thanks a lot!
François Van Ingelgom -- PCSOL
PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec
Debug-Strongswan = cat /var/log/messages with klips and puto debug to all
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Debug-Cisco.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Debug-Strongswan.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sh-Run.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment-0003.txt>
-------------- next part --------------
Le 11 mai 2010 à 17:34, Andreas Steffen a écrit :
> left = local and right = remote
>
> is just our recommendation in order to help your orientation.
> strongSwan works equally well with left and right swapped.
> I was just wondering that remote end used private network
> addresses which are not routable.
>
> Best regards
>
> Andreas
>
> On 05/11/2010 05:20 PM, François Van Ingelgom wrote:
>> In fact, no, the strongswan side is: left=81.246.56.89
>>
>> The Cisco IOS: right=192.168.1.218.
>>
>> I'll try to recreate the configuration tomorrow with the two ends in
>> our 81.246.56.64/27 subnet.
>>
>> From what i understood in ipsec.conf documentation left is the actual
>> local machine and right is the remote one, is that correct?
>>
>> Thanks for your help, i'll post what you asked tomorrow.
>>
>> François Van Ingelgom -- PCSOL
>>
>>
>>
>>
>> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :
>>
>>> Hello François,
>>>
>>> I don't see anything special in your configuration file except that
>>> it looks like an Openswan configuration.
>>>
>>> I assume that the strongSwan side is
>>>
>>> right=192.168.1.218
>>>
>>> which makes use of a port forwarding setup (NAT traversal seems not
>>> to be enabled) on the router
>>>
>>> rightnexthop=192.168.1.1
>>>
>>> in order to be reachable from the Internet and that
>>>
>>> left=81.246.56.89
>>>
>>> is the Cisco IOS box. In order to give you some help I would need
>>> the output of
>>>
>>> ipsec statusall
>>>
>>> and
>>>
>>> ip -s xfrm state
>>>
>>> ip -s xfrm policy
>>>
>>> after the successful connection setup and after a failed ping.
>>>
>>> Best regards
>>>
>>> Andreas
>>>
>>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
>>>> Hi everyone!
>>>>
>>>> I'm trying to setup Strongswan (debian package) with a Cisco
>>>> router (IOS 12.4).
>>>>
>>>> Both servers are on the same subnet (our public subnet) for
>>>> testing purposes.
>>>>
>>>> Here is my ipsec.conf for strongswan:
>>>>
>>>> version 2.0 # conforms to second version of ipsec.conf
>>>> specification
>>>>
>>>> config setup interfaces="ipsec0=eth0" conn %default
>>>> ikelifetime=86400 keylife=3600 keyingtries=%forever
>>>> authby=secret auth=esp ike=aes128-sha1-modp1024!
>>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60
>>>> dpdtimeout=500
>>>>
>>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89
>>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24
>>>> right=192.168.1.218 rightnexthop=192.168.1.1
>>>> rightsubnet=192.168.18.0/24
>>>>
>>>> include /etc/ipsec.d/examples/no_oe.conf
>>>>
>>>> And here is my ipsec.secrets
>>>>
>>>> 81.246.56.89: PSK "SecretTunnelPass"
>>>>
>>>> I'm sorry, i don't have the cisco config right here but it's a
>>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128
>>>> and sha).
>>>>
>>>> In fact, the connection can be established but when i try to ping
>>>> the other end, the cisco fails claiming that he has no route for
>>>> the network connected to the strongswan....
>>>>
>>>> I really have no idea how to set it up, and i've been searching
>>>> for a very long time now :/
>>>>
>>>> I anybody would have any idea, hints or anything, i'll greatly
>>>> appreciate :)
>>>>
>>>> Thanks a lot
>>>>
>>>> François Van Ingelgom -- PCSOL
>>>>
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fvaningelgom.jpg
Type: image/jpeg
Size: 16835 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment.jpg>
-------------- next part --------------
More information about the Users
mailing list