[strongSwan] Cisco ASA 5510 (8.4) Interop with StrongSwan 4.5.2 (IKEv2)

Martin Willi martin at strongswan.org
Wed Sep 5 14:07:44 CEST 2012

Hi Neeraj,

> The Cisco ASA is giving some strange errors and what appears to be
> some sort of proprietary IKEv2 (doubtful since people have interop
> with IOS and StrongSwan IKEv2).

Cisco seems to use proprietary IKE fragmentation, we don't support it in

> I did attempt to compare the cisco vpn client logs with strongswan client
> logs and it appears that the cisco vpn client is detected via some custom
> fields and a different path is choosen (looks like some hidden
> authentication method) instead of the usual rsa (authby=rsasig) route.

I'm not used to those ASA logs, ad the final log message

> IKEv2-PLAT-1: Failed to set P1 auth to build policy
> IKEv2-PLAT-1: unable to build ikev2 policy
> IKEv2-PROTO-1: (125): Failed to locate an item in the database

is not very helpful, either. I'd say it does not have a
policy/configuration for the received request.

When comparing the log files, there are two fundamental differences:

      * Anyconnect requests a virtual IP using a configuration payload
        exchange, your ipsec.conf does not. You may try to add
        "leftsourceip=%config" to request such an IP.
      * Anyconnect seems to use EAP to authenticate itself against the
        ASA, your ipsec.conf, however, uses a certificate. Try to
        replace "authby=rsasig" with "leftauth=eap" and
        "rightauth=pubkey". This of course requires an appropriate EAP
        module, but the strongSwan log should show you what the ASA is

Having these differences may well explain why the ASA does not have a
policy for the strongSwan request. 


More information about the Users mailing list