[strongSwan] Cannot do IKEv1/PSK Main Mode in Cisco ASA 5510
edk
edk at cendatsys.com
Mon Oct 1 16:09:11 CEST 2012
We did run into a problem with DH group -- they were using Group 1 and
we had to change it to Group 2.
Here's my config, we're using ipsec v4.4.1 so I have pluto running, but
we have connection and a GRE tunnel:
config setup
plutodebug=control
#plutodebug=all
plutostart=yes
charondebug=control
charonstart=no
klipsdebug=all
conn %default
ikelifetime=86400s
keylife=3600s
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-md5-modp1024
esp=3des-md5
pfs=no
type=tunnel
I setup the %default because we need to go to multiple subnets on the
remote side (we don't have access to that router). The connections are:
conn cdl-gre
right=74.125.225.81
rightsubnet=10.50.254.1/32
rightprotoport=47/0
left=%defaultroute
#left=169.207.1.3
leftsubnet=10.50.0.42/32
leftsourceip=10.50.0.42
leftprotoport=47/0
leftfirewall=yes
auto=start
conn cdl-00
right=74.125.225.81
rightsubnet=10.31.70.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
conn cdl-01
right=74.125.225.81
rightsubnet=10.31.71.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
conn cdl-02
right=74.125.225.81
rightsubnet=10.31.172.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
conn cme-03
right=74.125.225.81
rightsubnet=10.31.173.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
We're doing PSK, so in the ipsec.security we have:
169.207.1.3 74.125.225.81 : PSK "xxxPasswordHerexxx"
The config on the Cisco side that they sent us is:
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
!
crypto ipsec transform-set cdlvpn esp-3des esp-md5-hmac
!
!
crypto isakmp key xxxPasswordHerexxx address 169.207.1.3
!
crypto map cmevpn 47 ipsec-isakmp
description CustomerData LLC (CERT01-1805)
set peer 169.207.1.3
set transform-set cdlvpn
match address CERT01-1805
!
!
ip access-list extended CERT01-1805
permit ip 10.31.70.0 0.0.0.255 10.50.42.0 0.0.0.255
permit ip 10.31.71.0 0.0.0.255 10.50.42.0 0.0.0.255
permit ip 10.31.172.0 0.0.0.255 10.50.42.0 0.0.0.255
permit ip 10.31.173.0 0.0.0.255 10.50.42.0 0.0.0.255
permit gre host 10.50.254.1 host 10.50.0.42
!
!
On 09/28/2012 06:31 AM, Neeraj Sharma wrote:
> btw I am using StrongSwan 5.0.0
>
> -Neeraj
>
> ------------------------------------------------------------------------
> From: kaju09 at live.in
> To: edk at cendatsys.com; users at lists.strongswan.org
> Date: Fri, 28 Sep 2012 16:58:53 +0530
> Subject: Re: [strongSwan] Cannot do IKEv1/PSK Main Mode in Cisco ASA 5510
>
> # ipsec.conf
>
> config setup
> charondebug="dmn 1"
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> aggressive=no
> type=tunnel
> dpdaction=clear
> dpddelay=60s
>
>
> conn home
> left=%defaultroute
> xauth_identity=user
> leftid=@CiscoPSKCxnProfile
> xauth = client
> leftsourceip = %config
> leftauth=psk
> leftauth2=xauth
> leftfirewall=no
> right=111.222.333.444
> rightsubnet=192.168.0.0/16
> rightauth=psk
> ike=aes-sha-modp1024
> esp=aes-sha1-modp1024
> auto=start
>
>
> # the ipsec.secrets has the corresponding PSK and password for user
>
> Do let me know if you see an issues?
>
> -Neeraj
>
> ------------------------------------------------------------------------
> Subject: Re: [strongSwan] Cannot do IKEv1/PSK Main Mode in Cisco ASA 5510
> From: edk at cendatsys.com
> Date: Thu, 27 Sep 2012 08:53:40 -0500
> To: kaju09 at live.in; users at lists.strongswan.org
>
> I just went through this same problem -- still struggling with routing
> but seem to habe the connection.
>
> What's the Cisco config and you ipsec.conf?
>
> Neeraj Sharma <kaju09 at live.in> wrote:
>
> I tried doing this a couple of times and did succeed with
> configuring a StrongSwan client connecting to a Cisco ASA 5510 in
> IKEv1/PSK Main Mode. What works at present is the IKEv1/PSK
> Aggressive mode.
>
> I am no Cisco expert, so its possible (pointed by endre that it
> works as well over freenode #strongswan) that I am missing a Cisco
> ASA config. Any pointers (doc, etc) will be of great help.
>
> Thanks,
> Neeraj
>
> ------------------------------------------------------------------------
>
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>
> _______________________________________________ Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<div class="moz-signature">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
<link rel="important stylesheet"
href="chrome://messagebody/skin/messageBody.css">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><o:p></o:p><span
style="color: rgb(31, 73, 125);">Edward King<o:p></o:p></span>
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Direct:
(414) 448-1308<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><img
style="width: 140px; height: 83px;" id="Picture_x0020_3"
src="file:///home/edk/.icedove/image003.jpg"
alt="cid:image001.jpg at 01CB8FCE.EDA59D80" height="83" width="140"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
N27 W23957 Paul Road, Suite 102<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
Pewaukee, WI 53072<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
p: 262-524-9290<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
f: 262-524-1555 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
w:<a href="www.cendatsys.com"><span style="color: blue;">www.cendatsys.com</span></a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"> Receive
useful computer user tips& tricks<a
href="http://visitor.constantcontact.com/manage/optin/ea?v=001dbhkIZY57-Cz1d4xWGSOcg%3D%3D"><span
style="color: blue;">here</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
</span><o:p></o:p></p>
<p class="MsoNormal"> <a
href="https://www.facebook.com/CenturionDataSystems"><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_4" src="file:///home/edk/.icedove/image004.png"
alt="facebook_0" border="0" height="48" width="48"></span></a> <a
href="http://www.linkedin.com/company/565923"><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_5" src="file:///home/edk/.icedove/image005.png"
alt="linkedin_0" border="0"></span></a> <a
href="http://twitter.com/cendatsys"><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_6" src="file:///home/edk/.icedove/image006.png"
alt="twitter_0" border="0"></span></a> <a
href="http://centuriondatasystems.wordpress.com/"><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_7" src="file:///home/edk/.icedove/wordpress.png"
alt="wordpress-64px_0" border="0"></span></a> <a
href="http://www.youtube.com/user/CenturionDataSystems"><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_8" src="file:///home/edk/.icedove/youtube.png"
alt="youtube_0" border="0"></span></a><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121001/b5a3ad56/attachment.html>
More information about the Users
mailing list