[strongSwan] StrongSwan to Cisco ASA connection issue

Ana Andjelic ana.andj at gmail.com
Wed Nov 24 18:18:53 CET 2010


Hello!

I configured StrongSwan as a client to Cisco ASA gateway, but they can not
establish the connection. ASA is configured to accept client connections
based on certificates and Cisco vpn clients are able to connect. Since I
need Linux client to connect to ASA, I would really appreciate your help.

002 "vpn" #3: initiating Main Mode
104 "vpn" #3: STATE_MAIN_I1: initiate
003 "vpn" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
003 "vpn" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]
002 "vpn" #3: enabling possible NAT-traversal with method RFC 3947
106 "vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn" #3: ignoring Vendor ID payload [Cisco-Unity]
003 "vpn" #3: received Vendor ID payload [XAUTH]
003 "vpn" #3: ignoring Vendor ID payload [938e6beb766dee4e3e9a9ca612bf9c0e]
003 "vpn" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "vpn" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
i am NATed
002 "vpn" #3: we have a cert and are sending it upon request
108 "vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3
003 "vpn" #3: received Vendor ID payload [Dead Peer Detection]
002 "vpn" #3: Peer ID is ID_DER_ASN1_DN: 'CN=ASA 5510'
002 "vpn" #3: crl not found
002 "vpn" #3: certificate status unknown
002 "vpn" #3: crl not found
002 "vpn" #3: certificate status unknown
002 "vpn" #3: ISAKMP SA established
004 "vpn" #3: STATE_MAIN_I4: ISAKMP SA established
002 "vpn" #3: parsing XAUTH request
002 "vpn" #3: sending XAUTH reply
120 "vpn" #3: STATE_XAUTH_I1: sent XAUTH reply, expecting status
002 "vpn" #3: parsing XAUTH status
002 "vpn" #3: extended authentication was successful
002 "vpn" #3: sending XAUTH ack
002 "vpn" #3: sent XAUTH ack, established
004 "vpn" #3: STATE_XAUTH_I2: sent XAUTH ack, established
002 "vpn" #3: sending ModeCfg request
002 "vpn" #3: parsing ModeCfg reply
002 "vpn" #3: setting virtual IP source address to 10.2.9.6
002 "vpn" #3: received ModeCfg reply, established
004 "vpn" #3: STATE_MODE_CFG_I2: received ModeCfg reply, established
002 "vpn" #4: initiating Quick Mode ENCRYPT+TUNNEL+PFS+UP+XAUTHRSASIG {using
isakmp#3}
112 "vpn" #4: STATE_QUICK_I1: initiate
010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "vpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1.  No
acceptable response to our first Quick Mode message: perhaps peer likes no
proposal

Here is my ipsec.conf:

config setup
    plutodebug=all
    # crlcheckinterval=600
    # strictcrlpolicy=yes
    # cachecrls=yes
    nat_traversal=yes
    plutostart=yes
    charonstart=no
    plutostderrlog=/var/log/pluto.log

conn vpn
    ike=aes-md5-modp1024
    esp=aes-md5
    left=%defaultroute
    leftcert=laptop1.pem
    leftsourceip=%modeconfig
    modeconfig=pull
    right=217.24.19.114
    rightid="CN=ASA 5510"
    rightca=%same
    authby=xauthrsasig
    auto=add

Any suggestions?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101124/999be769/attachment.html>


More information about the Users mailing list