[strongSwan] StrongSwan to Cisco ASA connection issue

Wed Nov 24 19:43:23 CET 2010

Hello Ana,

you have to define a rightsubnet, most probably

  rightsubnet=0.0.0.0/0

Regards

Andreas

On 24.11.2010 18:18, Ana Andjelic wrote:
> Hello!
> 
> I configured StrongSwan as a client to Cisco ASA gateway, but they can
> not establish the connection. ASA is configured to accept client
> connections based on certificates and Cisco vpn clients are able to
> connect. Since I need Linux client to connect to ASA, I would really
> appreciate your help. 
> 
> 002 "vpn" #3: initiating Main Mode
> 104 "vpn" #3: STATE_MAIN_I1: initiate
> 003 "vpn" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> 003 "vpn" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 002 "vpn" #3: enabling possible NAT-traversal with method RFC 3947
> 106 "vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "vpn" #3: ignoring Vendor ID payload [Cisco-Unity]
> 003 "vpn" #3: received Vendor ID payload [XAUTH]
> 003 "vpn" #3: ignoring Vendor ID payload [938e6beb766dee4e3e9a9ca612bf9c0e]
> 003 "vpn" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "vpn" #3: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> 002 "vpn" #3: we have a cert and are sending it upon request
> 108 "vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "vpn" #3: received Vendor ID payload [Dead Peer Detection]
> 002 "vpn" #3: Peer ID is ID_DER_ASN1_DN: 'CN=ASA 5510'
> 002 "vpn" #3: crl not found
> 002 "vpn" #3: certificate status unknown
> 002 "vpn" #3: crl not found
> 002 "vpn" #3: certificate status unknown
> 002 "vpn" #3: ISAKMP SA established
> 004 "vpn" #3: STATE_MAIN_I4: ISAKMP SA established
> 002 "vpn" #3: parsing XAUTH request
> 002 "vpn" #3: sending XAUTH reply
> 120 "vpn" #3: STATE_XAUTH_I1: sent XAUTH reply, expecting status
> 002 "vpn" #3: parsing XAUTH status
> 002 "vpn" #3: extended authentication was successful
> 002 "vpn" #3: sending XAUTH ack
> 002 "vpn" #3: sent XAUTH ack, established
> 004 "vpn" #3: STATE_XAUTH_I2: sent XAUTH ack, established
> 002 "vpn" #3: sending ModeCfg request
> 002 "vpn" #3: parsing ModeCfg reply
> 002 "vpn" #3: setting virtual IP source address to 10.2.9.6
> 002 "vpn" #3: received ModeCfg reply, established
> 004 "vpn" #3: STATE_MODE_CFG_I2: received ModeCfg reply, established
> 002 "vpn" #4: initiating Quick Mode ENCRYPT+TUNNEL+PFS+UP+XAUTHRSASIG
> {using isakmp#3}
> 112 "vpn" #4: STATE_QUICK_I1: initiate
> 010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "vpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1. 
> No acceptable response to our first Quick Mode message: perhaps peer
> likes no proposal
> 
> Here is my ipsec.conf:
> 
> config setup
>     plutodebug=all
>     # crlcheckinterval=600
>     # strictcrlpolicy=yes
>     # cachecrls=yes
>     nat_traversal=yes
>     plutostart=yes
>     charonstart=no
>     plutostderrlog=/var/log/pluto.log
> 
> conn vpn
>     ike=aes-md5-modp1024
>     esp=aes-md5
>     left=%defaultroute
>     leftcert=laptop1.pem
>     leftsourceip=%modeconfig
>     modeconfig=pull
>     right=217.24.19.114
>     rightid="CN=ASA 5510"
>     rightca=%same
>     authby=xauthrsasig
>     auto=add
> 
> Any suggestions?

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==