[strongSwan] Strongswan with Cisco Client

Claude Tompers claude.tompers at restena.lu
Thu May 20 09:30:08 CEST 2010 

Hello Andreas,

I already had 'authby=xauthrsasig' during some previous tests, and I set it now again. Sadly no difference.
The 'modeconfig=push' did not change anything either.

kind regards,
Claude


On Thursday 20 May 2010 09:21:13 Andreas Steffen wrote:
> Dear Claude,
> 
> I'm not sure if leftauth|rightout works with IKEv1.
> Better set
> 
>    authby=xauthrsasig
> 
> as in our example scenario:
> 
> http://www.strongswan.org/uml/testresults44/ikev1/xauth-rsa-mode-config/moon.ipsec.conf
> 
> The Cisco VPN client does not expect Mode Config push mode in
> conjunction with XAUTH, so omit the modeconfig=push statement.
> 
> Regards
> 
> Andreas
> 
> 
> On 05/20/2010 08:32 AM, Claude Tompers wrote:
> > Hello,
> >
> > I'm trying to get a strongswan VPN server running with a Cisco client. I have already tried lots of different configurations on the strongswan side, but I always get the following error :
> >
> > /var/log/messages :
> >
> > May 20 08:26:12 vpn6-test pluto[9572]: packet from 192.168.3.53:54554: initial Main Mode message received on 192.168.1.13:500 but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER
> >
> > Is there anything special to configure ?
> >
> > Here's my ipsec.conf:
> >
> > # basic configuration
> >
> > ca vpnca
> >          cacert=VPNCA-cacert.pem
> >          auto=add
> >
> > config setup
> >          plutostart=yes
> >          charonstart=no
> >          charondebug="net 0"
> >          nat_traversal=yes
> >
> > # Add connections here.
> >
> > conn %default
> >          ike=aes256-sha1-modp1024
> >          esp=aes256-sha1
> >          dpdaction=clear
> >          dpddelay=300s
> >          rekey=no
> >          left=%any
> >          leftcert=vpncert.pem
> >          leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
> >          leftauth=pubkey
> >          right=%any
> >          rightsourceip=192.168.120.128/25
> >          auto=add
> >
> > conn cisco-vpn
> >          ikelifetime=60m
> >          keylife=20m
> >          rekeymargin=3m
> >          keyingtries=1
> >          type=tunnel
> >          pfs=no
> >          modeconfig=push
> >          rightauth=xauthrsasig
> >          xauth=server
> >
> > ---
> >
> > and my ipsec.secrets:
> >
> > : RSA vpncert-key.pem
> >
> > : XAUTH claude        "verysecretpassword"
> >
> > ---
> >
> > Thanks in advance for any answers.
> >
> > kind regards,
> > Claude
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
> 
> 
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100520/97d26acd/attachment.pgp>

More information about the Users mailing list