[strongSwan] strongswna to cisco router IPSEC problem

Germano Veit Michel germanovmichel at aim.com
Mon Jun 11 13:58:20 CEST 2012 

try using "hash sha" in the isakmp policy section.


Germano Veit Michel
germanovmichel at aim.com




-----Original Message-----
From: mohsen atiq <mohsen_atigh2000 at yahoo.com>
To: users <users at lists.strongswan.org>
Sent: Fri, Jun 8, 2012 6:16 pm
Subject: [strongSwan] strongswna to cisco router IPSEC problem



Hi 






i have cisco router and a linux box and i want IPSEC connection between them 
my Linux IPSEC configuration is 



config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=yes


conn test1
        left=192.168.40.2
        leftsubnet=192.168.20.0/24
        right=192.168.40.20
        rightsubnet=192.168.1.0/24
        pfs=no
        authby=psk
        type=tunnel
        auth=esp
        auto=start
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        dpddelay=10s
        dpdaction=restart
        keyexchange=ikev1


and my cisco  router configuration is  



crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key 123456 address 192.168.40.2
!
!
crypto ipsec transform-set 40.2 esp-aes 256 esp-sha-hmac
!
crypto map test-40.2 1 ipsec-isakmp
 set peer 192.168.40.2
 set transform-set 40.2
 match address 115
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
 !
!
interface FastEthernet1/0
 ip address 192.168.40.20 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map test-40.2
 !
!
interface FastEthernet1/1
 ip address 192.168.1.10 255.255.255.0
 no ip route-cache cef








access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255


when i start strongswan and enable cisco ipsec debug i have following error in my cisco router


*Jun  3 22:10:50.259: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
    {esp-aes 256 esp-sha-hmac }
*Jun  3 22:10:50.263: ISAKMP:(1028): IPSec policy invalidated proposal with error 256
*Jun  3 22:10:50.263: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 192.168.40.20 remote 192.168.40.2)
*Jun  3 22:10:50.267: ISAKMP:(1028):deleting node -1251133401 error TRUE reason "QM rejected"
 

thanks for you help 


  





 
 
  
 
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120611/31357084/attachment.html>

More information about the Users mailing list