[strongSwan] IKEv1 connection problems: strongswan <> cisco-asa

J. Miller z3usy at hotmail.com
Wed Sep 22 20:04:15 CEST 2010 

I’m having an issue with getting strongswan to complete its phase2
authorization with our Cisco ASA… I’ve tried about 20 different combinations
of the IKE/ESP encryption types with no luck, and the same issue occurs
during the MAIN_I2 stage.



If anyone can offer any assistance or guidance it would be greatly
appreciated!



========PLUTO ERROR LOG========



| inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #3

| next event EVENT_RETRANSMIT in 40 seconds for #3

|

| *received 68 bytes from xxx.xxx.xxx.xxx:500 on eth0

|   a4 39 4a 95  51 b7 93 b0  16 06 2a 8d  e7 0e c9 79

|   0b 10 05 00  00 00 00 00  00 00 00 44  00 00 00 28

|   00 00 00 01  00 00 00 04  b0 12 3d 04  98 12 22 05

|   01 00 00 00  03 00 00 00  04 00 00 00  84 81 07 01

|   ec 62 aa 0c

| **parse ISAKMP Message:

|    initiator cookie:

|   a4 39 4a 95  51 b7 93 b0

|    responder cookie:

|   16 06 2a 8d  e7 0e c9 79

|    next payload type: ISAKMP_NEXT_N

|    ISAKMP version: ISAKMP Version 1.0

|    exchange type: ISAKMP_XCHG_INFO

|    flags: none

|    message ID:  00 00 00 00

|    length: 68

| ICOOKIE:  a4 39 4a 95  51 b7 93 b0

| RCOOKIE:  16 06 2a 8d  e7 0e c9 79

| peer:  48 03 f2 47

| state hash entry 1

| state object #3 found, in STATE_MAIN_I2

"cisco-asa" #3: Informational Exchange message must be encrypted

| next event EVENT_RETRANSMIT in 40 seconds for #3

|

| *time to handle event

| event after this is EVENT_REINIT_SECRET in 3390 seconds

| handling event EVENT_RETRANSMIT for xxx.xxx.xxx.xxx "cisco-asa" #3

"cisco-asa" #3: max number of retransmissions (2) reached STATE_MAIN_I2



========IPSEC.CONF========



config setup

        plutodebug=all

        # crlcheckinterval=600

        # strictcrlpolicy=yes

        # cachecrls=yes

        nat_traversal=yes

        charonstart=no

        # plutostart=no

        plutostderrlog=/var/log/pluto.log



conn cisco-asa

        type=tunnel

        left=%defaultroute

        leftid=@GROUPID

        right=xxx.xxx.xxx.xxx

        rightsourceip=%dhcp

        rightnexthop=%defaultroute

        rightsubnet=0.0.0.0/0

        xauth=client

        authby=xauthpsk

        ike=3des

        esp=3des-sha

        pfs=no

        auto=start



========IPSEC.SECRETS========



: PSK "groupid-secret"

xxx.xxx.xxx.xxx username : XAUTH "password"



========CISCO ASA CONFIG========



crypto ipsec transform-set connset esp-3des esp-sha-hmac

crypto dynamic-map conn 90 set transform-set connset

crypto map connmap 8 match address 104

crypto map connmap 8 set peer xxx.xxx.xxx.xxx

crypto map connmap 8 set transform-set connset

crypto map connmap 10000 ipsec-isakmp dynamic conn

crypto map connmap interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp nat-traversal  20
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100922/5badae61/attachment.html>

More information about the Users mailing list