[strongSwan] Strongswan 5.1.1 / Cisco ASA 5520: no matching crypto map

Ulysse 31 ulysse31 at gmail.com
Thu Dec 5 21:14:29 CET 2013 

Hi,

Yes, I do had a similar problem, the solution is creating a crypto-map on
the cisco config compliant with linux IPSEC standard.
There are lots of tutorials explaining it on the net.
I would have sent some sample lines but do not have it available right now.

Best Regards,




2013/12/5 Sergio Samayoa <sergiosamayoa at icon.com.gt>

> Hi.
>
> I have a problem connecting from Strongswan 5.1.1 to Cisco ASA 5520:
>
> In the Cisco (B) side there are a acl list controlling to which hosts
> Strong Swang (A) side can access.
>
> This is the Cisco configuration:
>
> tunnel-group X.X.X.X type ipsec-l2l
> tunnel-group X.X.X.X ipsec-attributes
> pre-shared-key ******
>
> crypto map Tunel 170 match address PREDICTIBILIDAD
> crypto map Tunel 170 set peer X.X.X.X
> crypto map Tunel 170 set transform-set TEMM10
> crypto map Tunel 170 set pfs group2
>
> access-list PREDICTIBILIDAD extended permit ip host 10.225.230.212 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.225.207.77 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.225.240.20 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.2.81.168 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.216.15.145 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.216.15.201 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.216.15.210 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.216.15.135 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.2.81.187 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.225.173.177 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.225.136.9 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.225.173.178 host
> 172.255.255.78
> access-list PREDICTIBILIDAD extended permit ip host 10.15.122.237 host
> 172.255.255.78
>
> Strong Swan config:
>
> conn TELEFONICAMX
>         ikelifetime=28800s
>         keylife=20m
>         rekeymargin=3m
>         keyexchange=ikev1
>         authby=secret
>         ike=3des-md5-modp1024
>         esp=3des-md5-modp1024
>         left=X.X.X.X
>         leftid=X.X.X.X
>         leftfirewall=yes
>         right=Y.Y.Y.Y
>         rightid=Y.Y.Y.Y
>         auto=add
> rightsubnet=10.225.230.212,10.225.207.77,10.225.240.20,10.2.81.168,10.216.15.145,10.216.15.201,10.216.15.210,10.216.15.135,10.2.81.187,10.225.173.177,10.225.136.9,10.225.173.178,10.15.122.237
>
> Strong Swan was compiled with unity enabled.
>
> When I try up the connection I got this:
>
> root at vpn-tmmx:/usr/local/etc# ipsec up TELEFONICAMX
> initiating Main Mode IKE_SA TELEFONICAMX[2] to Y.Y.Y.Y
> generating ID_PROT request 0 [ SA V V V V ]
> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (184 bytes)
> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (104 bytes)
> parsed ID_PROT response 0 [ SA V ]
> received FRAGMENTATION vendor ID
> generating ID_PROT request 0 [ KE No ]
> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (196 bytes)
> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (256 bytes)
> parsed ID_PROT response 0 [ KE No V V V V ]
> received Cisco Unity vendor ID
> received XAuth vendor ID
> received unknown vendor ID: 5f:03:43:5c:a7:b9:51:2d:a5:40:d3:91:67:d0:7a:7c
> received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (68 bytes)
> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (84 bytes)
> parsed ID_PROT response 0 [ ID HASH V ]
> received DPD vendor ID
> IKE_SA TELEFONICAMX[2] established between
> X.X.X.X[X.X.X.X]...Y.Y.Y.Y[Y.Y.Y.Y]
> scheduling reauthentication in 28564s
> maximum IKE_SA lifetime 28744s
> generating QUICK_MODE request 812470083 [ HASH SA No KE ID ID ]
> sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (300 bytes)
> received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (348 bytes)
> parsed INFORMATIONAL_V1 request 2160602061 [ HASH N(INVAL_ID) ]
> received INVALID_ID_INFORMATION error notify
> establishing connection 'TELEFONICAMX' failed
>
> Phase 1 is completed but Cisco side drops the connection.
> This are the Cisco log entries:
>
> Dec  4 21:09:28 [X] Dec 04 2013 22:16:54: %ASA-4-113019: Group = X.X.X.X,
> Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: IKE,
> Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy
> not found
> Dec  4 21:09:27 [] Dec 04 2013 22:16:54: %ASA-6-113009: AAA retrieved
> default group policy (DfltGrpPolicy) for user = X.X.X.X
> Dec  4 21:09:27 [1] Dec 04 2013 22:16:54: %ASA-5-713119: Group =
> 200.35.187.146, IP = X.X.X.X, PHASE 1 COMPLETED
> Dec  4 21:09:28 [] Dec 04 2013 22:16:54: %ASA-3-713061: Group = X.X.X.X,
> IP = X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for
> remote proxy 172.255.255.78/255.255.255.255/0/0 local proxy
> 0.0.0.0/0.0.0.0/0/0 on interface outside
>
> Shouldn't Strong Swan send the rightsunet to Cisco to match the crypto
> policy?
>
> Someone faced a similar problem?
>
> BTW we can't change Cisco side.
>
> Regards.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>



-- 
Gomes do Vale Victor
Ingénieur Systèmes, Réseaux et Securité
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131205/f4032cd9/attachment.html>

More information about the Users mailing list