[strongSwan] StrongSwan to Cisco ASA connection issue
Andreas Steffen
andreas.steffen at strongswan.org
Wed Nov 24 19:43:23 CET 2010
Hello Ana,
you have to define a rightsubnet, most probably
rightsubnet=0.0.0.0/0
Regards
Andreas
On 24.11.2010 18:18, Ana Andjelic wrote:
> Hello!
>
> I configured StrongSwan as a client to Cisco ASA gateway, but they can
> not establish the connection. ASA is configured to accept client
> connections based on certificates and Cisco vpn clients are able to
> connect. Since I need Linux client to connect to ASA, I would really
> appreciate your help.
>
> 002 "vpn" #3: initiating Main Mode
> 104 "vpn" #3: STATE_MAIN_I1: initiate
> 003 "vpn" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
> 003 "vpn" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 002 "vpn" #3: enabling possible NAT-traversal with method RFC 3947
> 106 "vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "vpn" #3: ignoring Vendor ID payload [Cisco-Unity]
> 003 "vpn" #3: received Vendor ID payload [XAUTH]
> 003 "vpn" #3: ignoring Vendor ID payload [938e6beb766dee4e3e9a9ca612bf9c0e]
> 003 "vpn" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "vpn" #3: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> 002 "vpn" #3: we have a cert and are sending it upon request
> 108 "vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "vpn" #3: received Vendor ID payload [Dead Peer Detection]
> 002 "vpn" #3: Peer ID is ID_DER_ASN1_DN: 'CN=ASA 5510'
> 002 "vpn" #3: crl not found
> 002 "vpn" #3: certificate status unknown
> 002 "vpn" #3: crl not found
> 002 "vpn" #3: certificate status unknown
> 002 "vpn" #3: ISAKMP SA established
> 004 "vpn" #3: STATE_MAIN_I4: ISAKMP SA established
> 002 "vpn" #3: parsing XAUTH request
> 002 "vpn" #3: sending XAUTH reply
> 120 "vpn" #3: STATE_XAUTH_I1: sent XAUTH reply, expecting status
> 002 "vpn" #3: parsing XAUTH status
> 002 "vpn" #3: extended authentication was successful
> 002 "vpn" #3: sending XAUTH ack
> 002 "vpn" #3: sent XAUTH ack, established
> 004 "vpn" #3: STATE_XAUTH_I2: sent XAUTH ack, established
> 002 "vpn" #3: sending ModeCfg request
> 002 "vpn" #3: parsing ModeCfg reply
> 002 "vpn" #3: setting virtual IP source address to 10.2.9.6
> 002 "vpn" #3: received ModeCfg reply, established
> 004 "vpn" #3: STATE_MODE_CFG_I2: received ModeCfg reply, established
> 002 "vpn" #4: initiating Quick Mode ENCRYPT+TUNNEL+PFS+UP+XAUTHRSASIG
> {using isakmp#3}
> 112 "vpn" #4: STATE_QUICK_I1: initiate
> 010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 20s for response
> 010 "vpn" #4: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "vpn" #4: max number of retransmissions (2) reached STATE_QUICK_I1.
> No acceptable response to our first Quick Mode message: perhaps peer
> likes no proposal
>
> Here is my ipsec.conf:
>
> config setup
> plutodebug=all
> # crlcheckinterval=600
> # strictcrlpolicy=yes
> # cachecrls=yes
> nat_traversal=yes
> plutostart=yes
> charonstart=no
> plutostderrlog=/var/log/pluto.log
>
> conn vpn
> ike=aes-md5-modp1024
> esp=aes-md5
> left=%defaultroute
> leftcert=laptop1.pem
> leftsourceip=%modeconfig
> modeconfig=pull
> right=217.24.19.114
> rightid="CN=ASA 5510"
> rightca=%same
> authby=xauthrsasig
> auto=add
>
> Any suggestions?
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list