[strongSwan] Strongswan with Cisco Client

Claude Tompers claude.tompers at restena.lu
Thu May 20 13:20:42 CEST 2010 

Hello Andreas,

Yes, that was it. It's still not working completely, but it now seems to me to be an authenication issue with my generated certificates.
I will first try to solve this issue myself before crying for help on the mailing list again. ;)

Thanks very much for your help

regards,
Claude


On Thursday 20 May 2010 11:32:33 Andreas Steffen wrote:
> Hello Claude,
> 
> I think I found the problem. The IKEv1 pluto daemon does not
> support
> 
>    left=%any
> 
> You must set
> 
>    left=%defaultroute
> 
> since we haven't implemented dynamic determination of the
> outbound network interface based on the route yet.
> 
> Regards
> 
> Andreas
> 
> On 20.05.2010 09:30, Claude Tompers wrote:
> > Hello Andreas,
> >
> > I already had 'authby=xauthrsasig' during some previous tests, and I set it now again. Sadly no difference.
> > The 'modeconfig=push' did not change anything either.
> >
> > kind regards,
> > Claude
> >
> >
> > On Thursday 20 May 2010 09:21:13 Andreas Steffen wrote:
> >> Dear Claude,
> >>
> >> I'm not sure if leftauth|rightout works with IKEv1.
> >> Better set
> >>
> >>     authby=xauthrsasig
> >>
> >> as in our example scenario:
> >>
> >> http://www.strongswan.org/uml/testresults44/ikev1/xauth-rsa-mode-config/moon.ipsec.conf
> >>
> >> The Cisco VPN client does not expect Mode Config push mode in
> >> conjunction with XAUTH, so omit the modeconfig=push statement.
> >>
> >> Regards
> >>
> >> Andreas
> >>
> >>
> >> On 05/20/2010 08:32 AM, Claude Tompers wrote:
> >>> Hello,
> >>>
> >>> I'm trying to get a strongswan VPN server running with a Cisco client. I have already tried lots of different configurations on the strongswan side, but I always get the following error :
> >>>
> >>> /var/log/messages :
> >>>
> >>> May 20 08:26:12 vpn6-test pluto[9572]: packet from 192.168.3.53:54554: initial Main Mode message received on 192.168.1.13:500 but no connection has been authorized with policy=PUBKEY+XAUTHRSASIG+XAUTHSERVER
> >>>
> >>> Is there anything special to configure ?
> >>>
> >>> Here's my ipsec.conf:
> >>>
> >>> # basic configuration
> >>>
> >>> ca vpnca
> >>>           cacert=VPNCA-cacert.pem
> >>>           auto=add
> >>>
> >>> config setup
> >>>           plutostart=yes
> >>>           charonstart=no
> >>>           charondebug="net 0"
> >>>           nat_traversal=yes
> >>>
> >>> # Add connections here.
> >>>
> >>> conn %default
> >>>           ike=aes256-sha1-modp1024
> >>>           esp=aes256-sha1
> >>>           dpdaction=clear
> >>>           dpddelay=300s
> >>>           rekey=no
> >>>           left=%any
> >>>           leftcert=vpncert.pem
> >>>           leftid="C=LU, ST=Luxembourg, L=Luxembourg, O=Fondation RESTENA, OU=IT, CN=vpn6-pub.restena.lu, E=claude.tompers at restena.lu"
> >>>           leftauth=pubkey
> >>>           right=%any
> >>>           rightsourceip=192.168.120.128/25
> >>>           auto=add
> >>>
> >>> conn cisco-vpn
> >>>           ikelifetime=60m
> >>>           keylife=20m
> >>>           rekeymargin=3m
> >>>           keyingtries=1
> >>>           type=tunnel
> >>>           pfs=no
> >>>           modeconfig=push
> >>>           rightauth=xauthrsasig
> >>>           xauth=server
> >>>
> >>> ---
> >>>
> >>> and my ipsec.secrets:
> >>>
> >>> : RSA vpncert-key.pem
> >>>
> >>> : XAUTH claude        "verysecretpassword"
> >>>
> >>> ---
> >>>
> >>> Thanks in advance for any answers.
> >>>
> >>> kind regards,
> >>> Claude
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 

-- 
Claude Tompers
Ingénieur réseau et système
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100520/8b255cbf/attachment.pgp>

More information about the Users mailing list