[strongSwan] Connection to Cisco VPN

Peter Albrecht albrecht at opensourceservices.de
Wed Apr 27 11:47:46 CEST 2011 

Hello,

I'm new to this list so please forgive if such a case has already been 
discussed (I didn't find a thread in the archive).

I need to set up a connection from a Linux server running StrongSwan 4.3.4 
to a Cisco VPN router (if you need the exact model, I can figure that 
out). The setup is this:

internal         Linux server       Hardware      Cisco VPN      Remote
network     <--> (StrongSwan)  <--> router   <--> router    <--> network
192.168.0.0      192.168.5.101      (to ISP)
                 192.168.0.99

The remote (Cisco) admin provided the following parameters to use:

IKE Phase 1 :
- Main Mode
- Authentication : PreShared
- Encryption : AES - 256Bit
- Hashing : SHA
- Diffie-Hellman Group : group2
- Lifetime : 8 hours

IPSEC Phase 2 :
- Encryption : AES - 256 Bit
- Hashing : SHA
- PFS : group2
- Lifetime : 1 hour

NAT traversal has to be activated

This is my /etc/ipsec.conf:

##########################################
# /etc/ipsec.conf
#
config setup
        interfaces=%defaultroute
        nat_traversal=yes
        plutodebug=all
        klipsdebug=all

conn whatever
        type=tunnel
        authby=secret
        auto=start
        ike=aes256-sha-modp1024
        esp=aes256-sha1-modp1024
        ikelifetime=8h
        pfs=yes
        pfsgroup="modp1024"
        keylife=3600
        left=%defaultroute
        leftsubnet=192.168.0.0/24
        right=<ip-of-cisco>
        rightsubnet=<ip-of-remote-network>

When I start strongSwan, I see the following messages in the log file (the 
interfaces tun0, tun1, tun2 are created by OpenVPN connections, but I 
assume that should not cause any problems with strongSwan, correct?):

charon: 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.4)
charon: 01[KNL] listening on interfaces:
charon: 01[KNL]   eth0
charon: 01[KNL]     192.168.0.99
charon: 01[KNL]     fe80::210:18ff:fe55:10c6
charon: 01[KNL]   eth1
charon: 01[KNL]     192.168.5.101
charon: 01[KNL]     fe80::226:b9ff:fe67:9d46
charon: 01[KNL]   tun1
charon: 01[KNL]     192.168.254.10
charon: 01[KNL]   tun2
charon: 01[KNL]     192.168.254.2
charon: 01[KNL]   tun0
charon: 01[KNL]     192.168.254.6
...
charon: 01[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 01[CFG]   loaded IKE secret for 192.168.5.101 <ip-of-cisco>
charon: 01[DMN] loaded plugins: curl ldap aes des sha1 sha2 md5 fips-prf 
random x509 pubkey openssl gcrypt xcbc hmac gmp kernel-netlink stroke 
updown attr resolv-conf
charon: 01[JOB] spawning 16 worker threads
charon: 04[CFG] received stroke: add connection 'whatever'
charon: 04[CFG] added configuration 'whatever'
pluto[6202]: |
pluto[6202]: | *received whack message
pluto[6202]: | from whack: got --esp=aes256-sha1-modp1024;modp1024
pluto[6202]: | esp alg added: AES_CBC_256/HMAC_SHA1, cnt=1
pluto[6202]: | esp proposal: AES_CBC_256/HMAC_SHA1, ; pfsgroup=MODP_1024;
pluto[6202]: | from whack: got --ike=aes256-sha-modp1024
pluto[6202]: | ikg alg added: AES_CBC_256/HMAC_SHA1/MODP_1024, cnt=1
pluto[6202]: | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024,
pluto[6202]: added connection description "whatever"
pluto[6202]: |
192.168.0.0/24===192.168.5.101---192.168.5.1...<ip-of-cisco>===<network>
pluto[6202]: | ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS
pluto[6202]: | next event EVENT_REINIT_SECRET in 3600 seconds
pluto[6202]: |
pluto[6202]: | *received whack message
pluto[6202]: | creating state object #1 at 0x80edb88
pluto[6202]: | ICOOKIE:  9c 27 60 bc  a2 ba 5d fa
pluto[6202]: | RCOOKIE:  00 00 00 00  00 00 00 00
pluto[6202]: | peer:  91 fd f5 c4
pluto[6202]: | state hash entry 3
pluto[6202]: | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for 
#1
pluto[6202]: | Queuing pending Quick Mode with <ip-of-cisco> "whatever"
pluto[6202]: "whatever" #1: initiating Main Mode
pluto[6202]: | **emit ISAKMP Message:
...
pluto[6202]: "whatever" #3: max number of retransmissions (2) reached 
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE 
message


The Cisco admin told me he sees connection tries using "aggressive mode" 
(which is disabled on their side) but my log file shows "main mode".

Any ideas what could be the reason that the connection ist not established?

If you need any more information, please let me know.

Thanks,

Peter

More information about the Users mailing list