[strongSwan] StrongSWAN <-> Cisco router IOS 12.4

François Van Ingelgom francois.vaningelgom at pcsol.be
Wed May 12 15:18:11 CEST 2010 

Hi andreas!

I've recreated my setup and, this time, i'm not even able to establish the tunnel.

On the cisco it fails with error: "Notify has no hash. Rejected."

I've attached the debug output of every device.

I really have no idea how to sort it up and google is not a so good friend today :)

Thanks a lot!

François Van Ingelgom -- PCSOL

PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec
Debug-Strongswan = cat /var/log/messages with klips and puto debug to all


 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Debug-Cisco.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Debug-Strongswan.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment-0001.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ipsec.conf.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sh-Run.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment-0003.txt>
-------------- next part --------------



Le 11 mai 2010 à 17:34, Andreas Steffen a écrit :

> left = local and right = remote
> 
> is just our recommendation in order to help your orientation.
> strongSwan works equally well with left and right swapped.
> I was just wondering that remote end used private network
> addresses which are not routable.
> 
> Best regards
> 
> Andreas
> 
> On 05/11/2010 05:20 PM, François Van Ingelgom wrote:
>> In fact, no, the strongswan side is: left=81.246.56.89
>> 
>> The Cisco IOS:  right=192.168.1.218.
>> 
>> I'll try to recreate the configuration tomorrow with the two ends in
>> our 81.246.56.64/27 subnet.
>> 
>> From what i understood in ipsec.conf documentation left is the actual
>> local machine and right is the remote one, is that correct?
>> 
>> Thanks for your help, i'll post what you asked tomorrow.
>> 
>> François Van Ingelgom -- PCSOL
>> 
>> 
>> 
>> 
>> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :
>> 
>>> Hello François,
>>> 
>>> I don't see anything special in your configuration file except that
>>> it looks like an Openswan configuration.
>>> 
>>> I assume that the strongSwan side is
>>> 
>>> right=192.168.1.218
>>> 
>>> which makes use of a port forwarding setup (NAT traversal seems not
>>> to be enabled) on the router
>>> 
>>> rightnexthop=192.168.1.1
>>> 
>>> in order to be reachable from the Internet and that
>>> 
>>> left=81.246.56.89
>>> 
>>> is the Cisco IOS box. In order to give you some help I would need
>>> the output of
>>> 
>>> ipsec statusall
>>> 
>>> and
>>> 
>>> ip -s xfrm state
>>> 
>>> ip -s xfrm policy
>>> 
>>> after the successful connection setup and after a failed ping.
>>> 
>>> Best regards
>>> 
>>> Andreas
>>> 
>>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
>>>> Hi everyone!
>>>> 
>>>> I'm trying to setup Strongswan (debian package) with a Cisco
>>>> router (IOS 12.4).
>>>> 
>>>> Both servers are on the same subnet (our public subnet) for
>>>> testing purposes.
>>>> 
>>>> Here is my ipsec.conf for strongswan:
>>>> 
>>>> version	2.0	# conforms to second version of ipsec.conf
>>>> specification
>>>> 
>>>> config setup interfaces="ipsec0=eth0" conn %default
>>>> ikelifetime=86400 keylife=3600 keyingtries=%forever
>>>> authby=secret auth=esp ike=aes128-sha1-modp1024!
>>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60
>>>> dpdtimeout=500
>>>> 
>>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89
>>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24
>>>> right=192.168.1.218 rightnexthop=192.168.1.1
>>>> rightsubnet=192.168.18.0/24
>>>> 
>>>> include /etc/ipsec.d/examples/no_oe.conf
>>>> 
>>>> And here is my ipsec.secrets
>>>> 
>>>> 81.246.56.89: PSK "SecretTunnelPass"
>>>> 
>>>> I'm sorry, i don't have the cisco config right here but it's a
>>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128
>>>> and sha).
>>>> 
>>>> In fact, the connection can be established but when i try to ping
>>>> the other end, the cisco fails claiming that he has no route for
>>>> the network connected to the strongswan....
>>>> 
>>>> I really have no idea how to set it up, and i've been searching
>>>> for a very long time now :/
>>>> 
>>>> I anybody would have any idea, hints or anything, i'll greatly
>>>> appreciate :)
>>>> 
>>>> Thanks a lot
>>>> 
>>>> François Van Ingelgom -- PCSOL
>>>> 
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: fvaningelgom.jpg
Type: image/jpeg
Size: 16835 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/855e211e/attachment.jpg>
-------------- next part --------------

More information about the Users mailing list