[strongSwan] Strongswan 5.1.1 / Cisco ASA 5520: no matching crypto map

Sergio Samayoa sergiosamayoa at icon.com.gt
Thu Dec 5 17:09:03 CET 2013 

Hi.

I have a problem connecting from Strongswan 5.1.1 to Cisco ASA 5520:

In the Cisco (B) side there are a acl list controlling to which hosts
Strong Swang (A) side can access.

This is the Cisco configuration:

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
pre-shared-key ******

crypto map Tunel 170 match address PREDICTIBILIDAD
crypto map Tunel 170 set peer X.X.X.X
crypto map Tunel 170 set transform-set TEMM10
crypto map Tunel 170 set pfs group2

access-list PREDICTIBILIDAD extended permit ip host 10.225.230.212 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.225.207.77 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.225.240.20 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.2.81.168 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.216.15.145 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.216.15.201 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.216.15.210 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.216.15.135 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.2.81.187 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.225.173.177 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.225.136.9 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.225.173.178 host
172.255.255.78
access-list PREDICTIBILIDAD extended permit ip host 10.15.122.237 host
172.255.255.78

Strong Swan config:

conn TELEFONICAMX
        ikelifetime=28800s
        keylife=20m
        rekeymargin=3m
        keyexchange=ikev1
        authby=secret
        ike=3des-md5-modp1024
        esp=3des-md5-modp1024
        left=X.X.X.X
        leftid=X.X.X.X
        leftfirewall=yes
        right=Y.Y.Y.Y
        rightid=Y.Y.Y.Y
        auto=add
rightsubnet=10.225.230.212,10.225.207.77,10.225.240.20,10.2.81.168,10.216.15.145,10.216.15.201,10.216.15.210,10.216.15.135,10.2.81.187,10.225.173.177,10.225.136.9,10.225.173.178,10.15.122.237

Strong Swan was compiled with unity enabled.

When I try up the connection I got this:

root at vpn-tmmx:/usr/local/etc# ipsec up TELEFONICAMX
initiating Main Mode IKE_SA TELEFONICAMX[2] to Y.Y.Y.Y
generating ID_PROT request 0 [ SA V V V V ]
sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (184 bytes)
received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No ]
sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (196 bytes)
received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (256 bytes)
parsed ID_PROT response 0 [ KE No V V V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: 5f:03:43:5c:a7:b9:51:2d:a5:40:d3:91:67:d0:7a:7c
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
generating ID_PROT request 0 [ ID HASH ]
sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (68 bytes)
received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (84 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA TELEFONICAMX[2] established between
X.X.X.X[X.X.X.X]...Y.Y.Y.Y[Y.Y.Y.Y]
scheduling reauthentication in 28564s
maximum IKE_SA lifetime 28744s
generating QUICK_MODE request 812470083 [ HASH SA No KE ID ID ]
sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (300 bytes)
received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (348 bytes)
parsed INFORMATIONAL_V1 request 2160602061 [ HASH N(INVAL_ID) ]
received INVALID_ID_INFORMATION error notify
establishing connection 'TELEFONICAMX' failed

Phase 1 is completed but Cisco side drops the connection.
This are the Cisco log entries:

Dec  4 21:09:28 [X] Dec 04 2013 22:16:54: %ASA-4-113019: Group = X.X.X.X,
Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: IKE,
Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy
not found
Dec  4 21:09:27 [] Dec 04 2013 22:16:54: %ASA-6-113009: AAA retrieved
default group policy (DfltGrpPolicy) for user = X.X.X.X
Dec  4 21:09:27 [1] Dec 04 2013 22:16:54: %ASA-5-713119: Group =
200.35.187.146, IP = X.X.X.X, PHASE 1 COMPLETED
Dec  4 21:09:28 [] Dec 04 2013 22:16:54: %ASA-3-713061: Group = X.X.X.X, IP
= X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for remote
proxy 172.255.255.78/255.255.255.255/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on
interface outside

Shouldn't Strong Swan send the rightsunet to Cisco to match the crypto
policy?

Someone faced a similar problem?

BTW we can't change Cisco side.

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131205/1ca7fd12/attachment.html>

More information about the Users mailing list