[strongSwan] IPsec tunnel with Cisco ASA 5545

Ali Masoudi masoudi1983 at gmail.com
Mon May 20 06:57:27 CEST 2013 

Hi

I was trying to bring up an IPSec connection between strongswan 5.0.1 and
cisco, but I was not successful. Only phase 1 established. I paste the
configuration below. please help me find my mistake.

By the way, I read below text in
strongswan.org<http://wiki.strongswan.org/projects/strongswan/wiki/CharonPlutoIKEv1>.
it seems the only way is using XAUTH. am I right?

"IKEv1 Mode Config Push Mode is not implemented yet. This might be an issue
with Cisco Access Concentrators which usually force Mode Config Push Mode
in the absence of XAUTH-based authentication."

Thanks in advance
Ali


*Strongswan 5.0.1 Configuration:*

config setup
        uniqueids="no"
        strictcrlpolicy="no"

conn %default
        keyingtries="%forever"
        leftsendcert="always"

conn Tunnel_1
        authby="psk"
        auto="start"
        type="tunnel"
        compress="no"
        rekeymargin="540s"
        left="10.132.154.157"
        leftsubnet="10.132.154.152/29"
        right="10.132.154.158"
        rightsubnet="10.132.219.70/32"
        ike="3des-md5-modp1024"
        esp="3des-md5-modp1024"
        #modeconfig = "push"
        ikelifetime="86400"
        keylife="86400"
        keyexchange="ikev1"

*ipsec.secrets:*

10.132.154.157 10.132.154.158 : PSK "XXXXXXXXXX"

-------------------------------------------------------------------------------

*Cisco configuration:*

crypto isakmp key XXXXXXXXXX address 10.132.154.157

crypto ipsec transform-set vpn_TS2 esp-3des esp-md5-hmac

crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2


crypto map Company1 2 ipsec-isakmp
description connected Company1
set peer 10.132.154.157
set security-association lifetime seconds 86400
set transform-set vpn_TS2
set pfs group2
match address Company1

ip access-list extended Company1
permit ip host 10.132.154.153 host 10.132.219.70
permit ip host 10.132.154.154 host 10.132.219.70
permit ip host 10.132.154.155 host 10.132.219.70
permit ip host 10.132.154.156 host 10.132.219.70


---------------------------------------------------------------------------------

*"ipsec status" output:*

Security Associations (2 up, 0 connecting):
Tunnel_1[8]: ESTABLISHED 17 hours ago,
10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]


"*ipsec up Tunnel_1" output:*


initiating Main Mode IKE_SA Tunnel_1[10] to 10.132.154.158
generating ID_PROT request 0 [ SA V V V ]
sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
received packet: from 10.132.154.158[500] to 10.132.154.157[500]
parsed ID_PROT response 0 [ SA ]
generating ID_PROT request 0 [ KE No ]
sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
received packet: from 10.132.154.158[500] to 10.132.154.157[500]
parsed ID_PROT response 0 [ KE No V V V V ]
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
received packet: from 10.132.154.158[500] to 10.132.154.157[500]
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Tunnel_1[10] established between
10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]
scheduling reauthentication in 85675s
maximum IKE_SA lifetime 86215s
generating QUICK_MODE request 714104555 [ HASH SA No ID ID ]
sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
received packet: from 10.132.154.158[500] to 10.132.154.157[500]
parsed INFORMATIONAL_V1 request 86997070 [ HASH N(NO_PROP) ]
received *NO_PROPOSAL_CHOSEN* error notify
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130520/eb588dec/attachment.html>

More information about the Users mailing list