[strongSwan] Problems with StrongSwan 5.x and Cisco

Izz Abdullah izz.abdullah at wepanow.com
Sun Dec 1 18:22:12 CET 2013

I had some of the same problems you experienced.  I will say with 5.0.4, there are issues with renegotiating (Issue 317 specifically) when a Cisco device is on the other side.  I have since upgraded to 5.1.1 with the patch and am still having the same issue, but have written scripts to get around it for now.
As for the: Tasks Queued: Quick Mode
I also experienced that in 5.1.1 and found out through some help on this list that I needed to add a new parameter, specifically with PIX on the other end, modeconfig=push in my connection details for that specific connection.  Everything else I kept the same.  I now have a successfully established tunnel, I just don't have good routing due to NAT on both ends, but that is a problem I believe I need to correct.
Try the modeconfig parameter in your ipsec.conf in 5.1.1, and look at http://wiki.strongswan.org/issues/317 specifically for an issue with renegotiations in earlier versions.

I hope this info helps some.  Otherwise please do post logs and we all will do our best to assist.


Izz Abdullah
Senior Systems Engineer
800.675.7639 Toll Free


From: Ali Masoudi <masoudi1983 at gmail.com><mailto:masoudi1983 at gmail.com>
Sent: Saturday, November 30, 2013 23:55
To: Matus Straka <straka at ischemaview.com><mailto:straka at ischemaview.com>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Problems with StrongSwan 5.x and Cisco


If you can post your logs here, that will be helpful.

Best wishes

On Sun, Dec 1, 2013 at 12:37 AM, Matus Straka <straka at ischemaview.com<mailto:straka at ischemaview.com>> wrote:

Dear all,

I would like to ask for help/advice with StrongSWAN and Cisco VPN Devices:

We have had a setup with Centos 6.4 64bit Linux and Strongswan 4.6.4, other sites have Cisco gateways. I was able to configure the VPN tunnels just fine, using the examples on internet and parameters/PSK provided by our partners.
The setup worked fine for many months, with some occasional glitches (freezing of a tunnel).

Today, I tried to upgrade to StrongSWAN 5.0.4 (packaged in Centos 6.4 repositories), and ended up with non-functioning system as described below. I tried then to upgrade to StrongSWAN 5.1.1 built from source, with the same results.
In the end, I downgraded back to StrongSWAN 4.6.4. and the setup works again.

Our problems:
With StrongSWAN 5.0.4 and 5.1.1, upon (re)starting the StrongSwan daemon, the creation of the tunnels stops at a certain point, and “ipsec statusall” says: “Tasks queued: QUICK_MODE” and it never gets past that point. The log files then indicate that after 5 unsuccessful attempts the tunnel creation is stopped. With 4.6.4 it works without any issues.

To the extent of my knowledge and expertise I tried to change/modify the parameters in the ipsec.conf file, and reviewed the log files available (pluto.log and charon.log), without any success.

As my attempt to find any relevant information on internet failed (similar issues, configuration changes), I would like to kindly ask for help and assistance.
As the problem is straightly present for all 6 our remote sites, I suspect it is related to our side/configuration, and not to the other side (likely using different Cisco devices).

We will be thankful for any information.
Best regards,

Matus Straka, PhD

E-Mail: mailto:straka at ischemaview.com
iSchemaView, Inc., 323 Olmsted Rd, Stanford, CA 94305, USA

Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>

Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131201/9940323c/attachment.html>

More information about the Users mailing list