[strongSwan] Cisco ASA 5510 (8.4) Interop with StrongSwan 4.5.2 (IKEv2)

Neeraj Sharma kaju09 at aol.com
Wed Sep 26 14:28:35 CEST 2012


Hi Martin, I was focusing on IKEv1 xauthrsasig due to constraints in making basic stuff work, but will definitely try to retest IKEv2 at some point next month. Thanks,Neeraj
 > Subject: Re: [strongSwan] Cisco ASA 5510 (8.4) Interop with StrongSwan 4.5.2 (IKEv2)
> From: martin at strongswan.org
> To: kaju09 at aol.com
> CC: users at lists.strongswan.org
> Date: Wed, 5 Sep 2012 14:07:44 +0200
> 
> Hi Neeraj,
> 
> > The Cisco ASA is giving some strange errors and what appears to be
> > some sort of proprietary IKEv2 (doubtful since people have interop
> > with IOS and StrongSwan IKEv2).
> 
> Cisco seems to use proprietary IKE fragmentation, we don't support it in
> strongSwan.
> 
> > I did attempt to compare the cisco vpn client logs with strongswan client
> > logs and it appears that the cisco vpn client is detected via some custom
> > fields and a different path is choosen (looks like some hidden
> > authentication method) instead of the usual rsa (authby=rsasig) route.
> 
> I'm not used to those ASA logs, ad the final log message
> 
> > IKEv2-PLAT-1: Failed to set P1 auth to build policy
> > IKEv2-PLAT-1: unable to build ikev2 policy
> > IKEv2-PROTO-1: (125): Failed to locate an item in the database
> 
> is not very helpful, either. I'd say it does not have a
> policy/configuration for the received request.
> 
> When comparing the log files, there are two fundamental differences:
> 
>       * Anyconnect requests a virtual IP using a configuration payload
>         exchange, your ipsec.conf does not. You may try to add
>         "leftsourceip=%config" to request such an IP.
>       * Anyconnect seems to use EAP to authenticate itself against the
>         ASA, your ipsec.conf, however, uses a certificate. Try to
>         replace "authby=rsasig" with "leftauth=eap" and
>         "rightauth=pubkey". This of course requires an appropriate EAP
>         module, but the strongSwan log should show you what the ASA is
>         requesting.
> 
> Having these differences may well explain why the ASA does not have a
> policy for the strongSwan request. 
> 
> Regards
> Martin
> 
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120926/de50d88d/attachment.html>


More information about the Users mailing list