[strongSwan] Strongswan to ASA failing with NO_PROP in QUICKMODE and aggressive psk

Thu Jul 4 00:06:49 CEST 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I try to connect to a CISCO ASA with first round psk, then xauth.
After the authentication and getting the sourceip from the responder,
strongswan goes into QUICKMODE and tries to negotiate something else
(I don't know what it does.) and then it fails.

I hope you can help me. Relevant parts of the config and output of the
command are following up.

Regards,
Noel

ipsec.conf:

conn %default
        ikelifetime=60m
        inactivity=30s
        keylife=20m
        rekeymargin=3m
        keyingtries=3

esp=aes256-sha512-modp4096,aes256-sha1-modp1024,aes256-sha1-modp2048

ike=aes256-sha512-modp4096,aes256-sha1-modp1024,aes256-sha1-modp2048
        tfc=%mtu
        dpdaction=restart
        dpddelay=10
        dpdtimeout=60
        compress=yes
        left=192.168.178.48
conn fh
        leftauth=psk
        leftauth2=xauth
        rightauth=psk
        leftid=[ID]
        rightid=[ID of the ASA]
        right=[responder's FQDN]
        keyexchange=ikev1
        compress=no
        leftsourceip=%config
        aggressive=yes
        rightsubnet=[relevant right subnet]
        auto=add
        xauth_identity=[my Xauth ID]
        esp=aes256-sha1-modp1024
        ike=aes256-sha1-modp1024

ipsec up fh:

initiating Aggressive Mode IKE_SA fh[7] to [responder's public IP-address]
generating AGGRESSIVE request 0 [ SA KE No ID V V V V ]
sending packet: from 192.168.178.48[500] to [responder's public
IP-address][500] (383 bytes)
received packet: from [responder's public IP-address][500] to
192.168.178.48[500] (478 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V
V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID:
c1:55:18:3b:b9:f2:ab:c2:ec:4e:70:79:a8:2b:a4:7f
received unknown vendor ID:
1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.178.48[4500] to [responder's public
IP-address][4500] (108 bytes)
received packet: from [responder's public IP-address][4500] to
192.168.178.48[4500] (76 bytes)
parsed TRANSACTION request 2826753597 [ HASH CP ]
generating TRANSACTION response 2826753597 [ HASH CP ]
sending packet: from 192.168.178.48[4500] to [responder's public
IP-address][4500] (92 bytes)
received packet: from [responder's public IP-address][4500] to
192.168.178.48[4500] (76 bytes)
parsed TRANSACTION request 1929774754 [ HASH CP ]
XAuth authentication of '[Xauth ID]' (myself) successful
IKE_SA fh[7] established between 192.168.178.48[[id]]...[responder's
public IP-address][respnder's FQDN]
scheduling reauthentication in 3389s
maximum IKE_SA lifetime 3569s
generating TRANSACTION response 1929774754 [ HASH CP ]
sending packet: from 192.168.178.48[4500] to [responder's public
IP-address][4500] (76 bytes)
generating TRANSACTION request 3635288623 [ HASH CP ]
sending packet: from 192.168.178.48[4500] to [responder's public
IP-address][4500] (76 bytes)
received packet: from [responder's public IP-address][4500] to
192.168.178.48[4500] (92 bytes)
parsed TRANSACTION response 3635288623 [ HASH CP ]
installing DNS server [Internal DNS1 via resolvconf
installing DNS server [internal DNS2] via resolvconf
installing new virtual IP [Public IP-address]
generating QUICK_MODE request 3418582762 [ HASH SA No KE ID ID ]
sending packet: from 192.168.178.48[4500] to [responder's public
IP-address][4500] (316 bytes)
received packet: from [responder's public IP-address][4500] to
192.168.178.48[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3526216300 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'fh' failed
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJR1KB5AAoJEDg5KY9j7GZYMjYP/ilhnWkZqGRuEESropth8lLK
LWeHDra6wBWOKNMkJ42hfrfZxCHyl6kt82mjROi2+BZxGQmqwQOJ7c7yqFz/YKz5
t7RgfeWPbEcK+r6Vjrbh8vv7L2D/kyf3zHRoPjfE06FH7qzuj+2oZ6Fv6q8cOhxU
y0YykRSb+1fmIyqlqjc6DZiARTk8iCYx5fcOTAfgjHAOg8B2Yz7ahKoy8hgbytSG
+E4VTZCTKpE8RW/ZatnFGSD1qCu2xJ+bYP2xwUxXHFvwFdBYk1vhh4g2dKPrv/D1
KzPUg4iXvKfvIsyZ2N5GHvX9unZFiMj4i7yseujZNE7KXqsn/jGHaO12WZne2cb3
VysC1ifyb3JItOiL1xJMa+mQO83kwcgqrPB/UywXlb/y58IWP9KUt5hj6IMYiuqP
hBtrtuqecwUSmK/og0hpHnClYO7aWVCSmV83nGz0VBbwCnZrQ21By30FMMt7b1sk
gHBJ0viql0CNrTFiYVOKzda1al/T67UFdc9LDm1+hn7GPf5AT8dNnbLPpIXAM9Pc
6WIHkBuw4kIPzGxaCPcEmGwvsGnWqrJKShEQoYsdBnZjjwxPXfa1TjjJtcJfyoiP
slPFgWclcY1+QRfuyrG60OsXmBz7m9AwX7R0vnrhGN8oI7vy14V/+WqyM6KXit/t
9yeIMXqy+nladryp369W
=+B0B
-----END PGP SIGNATURE-----