[strongSwan] Strongswan with Cisco Client

Andreas Steffen andreas.steffen at strongswan.org
Thu May 20 11:32:33 CEST 2010 

Hello Claude,

I think I found the problem. The IKEv1 pluto daemon does not
support

   left=%any

You must set

   left=%defaultroute

since we haven't implemented dynamic determination of the
outbound network interface based on the route yet.

Regards

Andreas

On 20.05.2010 09:30, Claude Tompers wrote:
> Hello Andreas,
>
> I already had 'authby=xauthrsasig' during some previous tests, and I set it now again. Sadly no difference.
> The 'modeconfig=push' did not change anything either.
>
> kind regards,
> Claude
>
>
> On Thursday 20 May 2010 09:21:13 Andreas Steffen wrote:
>> Dear Claude,
>>
>> I'm not sure if leftauth|rightout works with IKEv1.
>> Better set
>>
>>     authby=xauthrsasig
>>
>> as in our example scenario:
>>
>> http://www.strongswan.org/uml/testresults44/ikev1/xauth-rsa-mode-config/moon.ipsec.conf
>>
>> The Cisco VPN client does not expect Mode Config push mode in
>> conjunction with XAUTH, so omit the modeconfig=push statement.
>>
>> Regards
>>
>> Andreas
>>
>>
>> On 05/20/2010 08:32 AM, Claude Tompers wrote:
>>> Hello,
>>>
>>> I'm trying to get a strongswan VPN server running with a Cisco client. I have already tried lots of different configurations on the strongswan side, but I always get the following error :
>>>
>>> /var/log/messages :
>>>
>>> May 20 08:26:12 vpn6-test pluto[9572]: packet from 192.168.3.53:54554: initial Main Mode message received on 192.168.1.13:500 but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER
>>>
>>> Is there anything special to configure ?
>>>
>>> Here's my ipsec.conf:
>>>
>>> # basic configuration
>>>
>>> ca vpnca
>>>           cacert=VPNCA-cacert.pem
>>>           auto=add
>>>
>>> config setup
>>>           plutostart=yes
>>>           charonstart=no
>>>           charondebug="net 0"
>>>           nat_traversal=yes
>>>
>>> # Add connections here.
>>>
>>> conn %default
>>>           ike=aes256-sha1-modp1024
>>>           esp=aes256-sha1
>>>           dpdaction=clear
>>>           dpddelay=300s
>>>           rekey=no
>>>           left=%any
>>>           leftcert=vpncert.pem
>>>           leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
>>>           leftauth=pubkey
>>>           right=%any
>>>           rightsourceip=192.168.120.128/25
>>>           auto=add
>>>
>>> conn cisco-vpn
>>>           ikelifetime=60m
>>>           keylife=20m
>>>           rekeymargin=3m
>>>           keyingtries=1
>>>           type=tunnel
>>>           pfs=no
>>>           modeconfig=push
>>>           rightauth=xauthrsasig
>>>           xauth=server
>>>
>>> ---
>>>
>>> and my ipsec.secrets:
>>>
>>> : RSA vpncert-key.pem
>>>
>>> : XAUTH claude        "verysecretpassword"
>>>
>>> ---
>>>
>>> Thanks in advance for any answers.
>>>
>>> kind regards,
>>> Claude

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list