[strongSwan] Cisco brings up the tunnel, but Linux not --- AH only

Zoltan zlt at freemail.hu
Tue May 17 17:31:13 CEST 2011 

Hi Everyone,

The IPSEC traffic works fine between my strongSwan gateway
(and my clients) and the Cisco gateway/clients on the other side.
However, I cannot fully initiate it. It stops:

002 "vtest" #1: initiating Main Mode
104 "vtest" #1: STATE_MAIN_I1: initiate
106 "vtest" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vtest" #1: ignoring Vendor ID payload [Cisco-Unity]
003 "vtest" #1: received Vendor ID payload [Dead Peer Detection]
003 "vtest" #1: ignoring Vendor ID payload [b1d915cbf5b7575752babd9fbc1f897a]
003 "vtest" #1: received Vendor ID payload [XAUTH]
108 "vtest" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vtest" #1: Peer ID is ID_IPV4_ADDR: 'XXXa.b.c.dXXX'
002 "vtest" #1: ISAKMP SA established
004 "vtest" #1: STATE_MAIN_I4: ISAKMP SA established
002 "vtest" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
112 "vtest" #2: STATE_QUICK_I1: initiate
010 "vtest" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
...
010 "vtest" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "vtest" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "vtest" #2: starting keying attempt 2 of at most 3, but releasing whack

===
My config works fine, if the otherside Cisco gateway (or its clients)
initiate the traffic. My ipsec.conf is very simple (No NAT).

What is strange for me is that on a router of our company I see
only AH packets, but no ESP, when the tunnel works fine.
(after some UDP 500 IKE traffic of course).

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        charonstart=yes
        plutostart=yes
        charondebug=all
        ##plutodebug="controlmore natt parsing private"
        plutodebug=all

conn vtest
        auto=add
        keyexchange=ikev1
        authby=psk
        ##auth=ah
        #
        left=M.N.O.125
        leftsubnet=M.N.O.96/27
        #
        right=XXXa.b.c.dXXX
        rightsubnet=10.14.140.0/24
        #
        ike=3des-md5-modp1024!
        esp=3des-md5!
        ikelifetime=86400
        pfs=no

Can you help me to understand what happens?
(Omitting the strict !s from the config doesn't help.)
Regards
Zoltan

More information about the Users mailing list