[strongSwan] Working configuration to connect to an ASA

Noel Kuntze noel at familie-kuntze.de
Thu Apr 25 20:43:12 CEST 2013 

Hello,

I got answer packets now, but it fails at parsing the INFORMATIONAL_V1
requests.
The Log is attached.
The output of "ipsec up fh" and the configuration are below.

Regards,
Noel

----------------------------
# ipsec up fh
initiating Main Mode IKE_SA fh[1] to<IP>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.178.46[500] to<IP>[500]
received packet: from<IP>[500] to 192.168.178.46[500]
parsed ID_PROT response 0 [ SA V V ]
received NAT-T (RFC 3947) vendor ID
received unknown vendor ID:
40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3:c0:00:00:00
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.178.46[500] to<IP>[500]
received packet: from<IP>[500] to 192.168.178.46[500]
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 192.168.178.46[4500] to<IP>[4500]
received packet: from<IP>[500] to 192.168.178.46[500]
parsed INFORMATIONAL_V1 request 0 [ N(PLD_MAL) ]
ignoring unprotected INFORMATIONAL from<IP>
message verification failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 0 processing failed
sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.178.46[4500] to<IP>[4500]
received packet: from<IP>[500] to 192.168.178.46[500]
received retransmit of response with ID 0, but next request already sent
-------------------
My config:
-------------------
conn %default
        ikelifetime=60m
        inactivity=30s
        keylife=20m
        rekeymargin=3m
        keyingtries=3  
        keyexchange=ikev2
        esp=aes256-sha512-modp4096,aes256-sha1-modp1024
        ike=aes256-sha512-modp4096,aes256-sha1-modp1024
        tfc=%mtu
        dpdaction=restart
        dpddelay=10
        dpdtimeout=60
        compress=yes
conn fh
        #leftauth=psk
        #leftauth2=xauth
        authby=xauthpsk
        leftgroups=<group>
        keyexchange=ikev1
        aggressive=no
        xauth=client
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        left=192.168.178.46
        right=<fqdn>
        rightid=<id>
        rightsubnet=<subnet>
        auto=route

Am 25.04.2013 00:43, schrieb Noel Kuntze:
> P.S.: The connection succeeds, when I use vpnc to connect. What could
> cause stronswan to not get a reply?
> Both the psk and my xauth-credentials are in my local ipsec.secrets.
> Here's a part of my config. The last part is the one that matters.
>
> Regards,
> Noel
>
> conn %default
>         ikelifetime=60m
>         inactivity=30s
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=3
>         keyexchange=ikev2
>         esp=aes256-sha512-modp4096,aes256-sha1-modp1024
>         ike=aes256-sha512-modp4096,aes256-sha1-modp1024
>         tfc=%mtu
>         dpdaction=restart
>         dpddelay=10
>         dpdtimeout=60
>         compress=yes
>
> conn fh
> #       leftauth=psk
> #       leftauth2=xauth
>         authby=xauthpsk
>         leftgroups=<a group>
>         keyexchange=ikev1
>         aggressive=yes # Also doesn't work, if set to no
>         xauth=client
>         ike=3des-md5-modp1024 # I just took the oldest cipher supported
> by the asa
>         esp=3des-md5-modp1024
>         left=192.168.178.46
>         right=<remote fqdn>
>         rightsubnet=<remote subnet>
>         auto=route
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: charon4.log
Type: text/x-log
Size: 171101 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130425/e1dca75f/attachment.bin>

More information about the Users mailing list