[strongSwan] road warrior setup to Cisco 3000 with certificates

John Serink jserink2004 at yahoo.com
Mon Aug 8 18:34:25 CEST 2011


Hi All:

I have managed to convert my IIS produced certificate into a private key and cert that strong swan can read. The ipsec listcets command shows all the right stuff and there are no errors in the logs. My xauth details and key are loaded correctly:

Aug 08 23:41:42 [pluto] loading secrets from "/etc/ipsec.secrets"
Aug 08 23:41:42 [pluto] |   file content is not binary ASN.1_
Aug 08 23:41:42 [pluto] |   -----BEGIN RSA PRIVATE KEY-----_
Aug 08 23:41:42 [pluto] |   -----END RSA PRIVATE KEY-----_
Aug 08 23:41:42 [pluto] | L0 - RSAPrivateKey:_
Aug 08 23:41:42 [pluto] | L1 - version:_
Aug 08 23:41:42 [pluto] | L1 - modulus:_
Aug 08 23:41:42 [pluto] | L1 - publicExponent:_
Aug 08 23:41:42 [pluto] | L1 - privateExponent:_
Aug 08 23:41:42 [pluto] | L1 - prime1:_
Aug 08 23:41:42 [pluto] | L1 - prime2:_
Aug 08 23:41:42 [pluto] | L1 - exponent1:_
Aug 08 23:41:42 [pluto] | L1 - exponent2:_
Aug 08 23:41:42 [pluto] | L1 - coefficient:_
Aug 08 23:41:42 [pluto] | no events, waiting_
Aug 08 23:41:42 [pluto] | started worker thread, ID: 2_
Aug 08 23:41:42 [pluto] | started worker thread, ID: 4_
Aug 08 23:41:42 [pluto] loaded private key from 'server.key'
Aug 08 23:41:42 [pluto] loaded PSK secret for 203.125.87.10 %any 
Aug 08 23:41:42 [pluto] loaded XAUTH secret for jserink 
Aug 08 23:41:42 [pluto] |   file content is not binary ASN.1_
Aug 08 23:41:42 [pluto] |   -----BEGIN CERTIFICATE-----_
Aug 08 23:41:42 [pluto] |   -----END CERTIFICATE-----_
Aug 08 23:41:42 [pluto] | L0 - x509:_
Aug 08 23:41:42 [pluto] | => 1430 bytes @ 0x6c1160_

Here is the problem:

Aug 08 23:41:42 [pluto] "christchurch" #1: initiating Main Mode
Aug 08 23:41:42 [pluto] "christchurch" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 08 23:41:42 [pluto] "christchurch" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Aug 08 23:41:42 [pluto] "christchurch" #1: enabling possible NAT-traversal with method RFC 3947
Aug 08 23:41:42 [pluto] | size of DH secret exponent: 1023 bits_
Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Vendor ID payload [Cisco-Unity]
Aug 08 23:41:43 [pluto] "christchurch" #1: received Vendor ID payload [XAUTH]
Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Vendor ID payload [158867397dfb61746cb65f98dacfb308]
Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 08 23:41:43 [pluto] "christchurch" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Aug 08 23:41:43 [pluto] "christchurch" #1: we have a cert and are sending it 
Aug 08 23:41:43 [pluto] "christchurch" #1: ignoring Delete SA payload: ISAKMP SA not established
Aug 08 23:42:53 [pluto] "christchurch" #1: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Aug 08 23:42:53 [pluto] "christchurch" #1: starting keying attempt 2 of at most 3
Aug 08 23:42:53 [pluto] "christchurch" #2: initiating Main Mode to replace #1
Aug 08 23:42:53 [pluto] "christchurch" #2: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 08 23:42:53 [pluto] "christchurch" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Aug 08 23:42:53 [pluto] "christchurch" #2: enabling possible NAT-traversal with method RFC 3947
Aug 08 23:42:53 [pluto] | size of DH secret exponent: 1023 bits_
Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Vendor ID payload [Cisco-Unity]
Aug 08 23:42:54 [pluto] "christchurch" #2: received Vendor ID payload [XAUTH]
Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Vendor ID payload [840b1be9362ecc407091722bda4f36be]
Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 08 23:42:54 [pluto] "christchurch" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Aug 08 23:42:54 [pluto] "christchurch" #2: we have a cert and are sending it 
Aug 08 23:42:54 [pluto] "christchurch" #2: ignoring Delete SA payload: ISAKMP SA not established
Aug 08 23:44:04 [pluto] "christchurch" #2: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Aug 08 23:44:04 [pluto] "christchurch" #2: starting keying attempt 3 of at most 3
Aug 08 23:44:04 [pluto] "christchurch" #3: initiating Main Mode to replace #2
Aug 08 23:44:04 [pluto] "christchurch" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Aug 08 23:44:04 [pluto] "christchurch" #3: enabling possible NAT-traversal with method RFC 3947
Aug 08 23:44:04 [pluto] | size of DH secret exponent: 1023 bits_
Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [Cisco-Unity]
Aug 08 23:44:04 [pluto] "christchurch" #3: received Vendor ID payload [XAUTH]
Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [2c3ae4fef14c0b8e6faa7eb376a79007]
Aug 08 23:44:04 [pluto] "christchurch" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 08 23:44:04 [pluto] "christchurch" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Aug 08 23:44:04 [pluto] "christchurch" #3: we have a cert and are sending it 
Aug 08 23:44:05 [pluto] "christchurch" #3: ignoring Delete SA payload: ISAKMP SA not established
Aug 08 23:45:14 [pluto] "christchurch" #3: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message


So, I'm scratching my head here.

Any one have any clues on this? I'm not able to see the logs on the Cisco 3000 as our IS supports only the cisco vpn client on widows officially. I have used the console based one for Linux and it works but it puts the entire machine inside the IPSec network which is what I don't want. I only want traffic destined for the network on the vpn to go there and everything else out the default route.

Any ideas on how to past this last error?

Cheers,
John




More information about the Users mailing list