[strongSwan] StrongSWAN <-> Cisco router IOS 12.4

Steve Rigano steve.rigano at gmail.com
Wed May 12 16:27:49 CEST 2010


Hi,

By using the cisco command "debug crypto isakmp" you should be able to
troubleshoot this issue which should be caused by a misconfiguration. Make
sur your transform set is correct and whether you're using group 1 or group
2.

Cheers,

Steve Rigano

2010/5/12 François Van Ingelgom <francois.vaningelgom at pcsol.be>

> Hi andreas!
>
> I've recreated my setup and, this time, i'm not even able to establish the
> tunnel.
>
> On the cisco it fails with error: "Notify has no hash. Rejected."
>
> I've attached the debug output of every device.
>
> I really have no idea how to sort it up and google is not a so good friend
> today :)
>
> Thanks a lot!
>
> François Van Ingelgom -- PCSOL
>
> PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec
> Debug-Strongswan = cat /var/log/messages with klips and puto debug to all
>
>
>
>
>
>
> Le 11 mai 2010 à 17:34, Andreas Steffen a écrit :
>
> > left = local and right = remote
> >
> > is just our recommendation in order to help your orientation.
> > strongSwan works equally well with left and right swapped.
> > I was just wondering that remote end used private network
> > addresses which are not routable.
> >
> > Best regards
> >
> > Andreas
> >
> > On 05/11/2010 05:20 PM, François Van Ingelgom wrote:
> >> In fact, no, the strongswan side is: left=81.246.56.89
> >>
> >> The Cisco IOS:  right=192.168.1.218.
> >>
> >> I'll try to recreate the configuration tomorrow with the two ends in
> >> our 81.246.56.64/27 subnet.
> >>
> >> From what i understood in ipsec.conf documentation left is the actual
> >> local machine and right is the remote one, is that correct?
> >>
> >> Thanks for your help, i'll post what you asked tomorrow.
> >>
> >> François Van Ingelgom -- PCSOL
> >>
> >>
> >>
> >>
> >> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :
> >>
> >>> Hello François,
> >>>
> >>> I don't see anything special in your configuration file except that
> >>> it looks like an Openswan configuration.
> >>>
> >>> I assume that the strongSwan side is
> >>>
> >>> right=192.168.1.218
> >>>
> >>> which makes use of a port forwarding setup (NAT traversal seems not
> >>> to be enabled) on the router
> >>>
> >>> rightnexthop=192.168.1.1
> >>>
> >>> in order to be reachable from the Internet and that
> >>>
> >>> left=81.246.56.89
> >>>
> >>> is the Cisco IOS box. In order to give you some help I would need
> >>> the output of
> >>>
> >>> ipsec statusall
> >>>
> >>> and
> >>>
> >>> ip -s xfrm state
> >>>
> >>> ip -s xfrm policy
> >>>
> >>> after the successful connection setup and after a failed ping.
> >>>
> >>> Best regards
> >>>
> >>> Andreas
> >>>
> >>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
> >>>> Hi everyone!
> >>>>
> >>>> I'm trying to setup Strongswan (debian package) with a Cisco
> >>>> router (IOS 12.4).
> >>>>
> >>>> Both servers are on the same subnet (our public subnet) for
> >>>> testing purposes.
> >>>>
> >>>> Here is my ipsec.conf for strongswan:
> >>>>
> >>>> version    2.0     # conforms to second version of ipsec.conf
> >>>> specification
> >>>>
> >>>> config setup interfaces="ipsec0=eth0" conn %default
> >>>> ikelifetime=86400 keylife=3600 keyingtries=%forever
> >>>> authby=secret auth=esp ike=aes128-sha1-modp1024!
> >>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60
> >>>> dpdtimeout=500
> >>>>
> >>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89
> >>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24
> >>>> right=192.168.1.218 rightnexthop=192.168.1.1
> >>>> rightsubnet=192.168.18.0/24
> >>>>
> >>>> include /etc/ipsec.d/examples/no_oe.conf
> >>>>
> >>>> And here is my ipsec.secrets
> >>>>
> >>>> 81.246.56.89: PSK "SecretTunnelPass"
> >>>>
> >>>> I'm sorry, i don't have the cisco config right here but it's a
> >>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128
> >>>> and sha).
> >>>>
> >>>> In fact, the connection can be established but when i try to ping
> >>>> the other end, the cisco fails claiming that he has no route for
> >>>> the network connected to the strongswan....
> >>>>
> >>>> I really have no idea how to set it up, and i've been searching
> >>>> for a very long time now :/
> >>>>
> >>>> I anybody would have any idea, hints or anything, i'll greatly
> >>>> appreciate :)
> >>>>
> >>>> Thanks a lot
> >>>>
> >>>> François Van Ingelgom -- PCSOL
> >>>>
> >
> > ======================================================================
> > Andreas Steffen                         andreas.steffen at strongswan.org
> > strongSwan - the Linux VPN Solution!                www.strongswan.org
> > Institute for Internet Technologies and Applications
> > University of Applied Sciences Rapperswil
> > CH-8640 Rapperswil (Switzerland)
> > ===========================================================[ITA-HSR]==
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100512/e860c79c/attachment.html>


More information about the Users mailing list