[strongSwan] IPsec tunnel with Cisco ASA 5545

Ali Masoudi masoudi1983 at gmail.com
Tue May 21 08:41:08 CEST 2013


Sorry but I found the problem. It was on the cisco side, they forgot
to bind cryp map config with network interface.

Best wishes
Ali

On Mon, May 20, 2013 at 8:27 AM, Ali Masoudi <masoudi1983 at gmail.com> wrote:
> Hi
>
> I was trying to bring up an IPSec connection between strongswan 5.0.1 and
> cisco, but I was not successful. Only phase 1 established. I paste the
> configuration below. please help me find my mistake.
>
> By the way, I read below text in strongswan.org. it seems the only way is
> using XAUTH. am I right?
>
> "IKEv1 Mode Config Push Mode is not implemented yet. This might be an issue
> with Cisco Access Concentrators which usually force Mode Config Push Mode in
> the absence of XAUTH-based authentication."
>
> Thanks in advance
> Ali
>
>
> Strongswan 5.0.1 Configuration:
>
> config setup
>         uniqueids="no"
>         strictcrlpolicy="no"
>
> conn %default
>         keyingtries="%forever"
>         leftsendcert="always"
>
> conn Tunnel_1
>         authby="psk"
>         auto="start"
>         type="tunnel"
>         compress="no"
>         rekeymargin="540s"
>         left="10.132.154.157"
>         leftsubnet="10.132.154.152/29"
>         right="10.132.154.158"
>         rightsubnet="10.132.219.70/32"
>         ike="3des-md5-modp1024"
>         esp="3des-md5-modp1024"
>         #modeconfig = "push"
>         ikelifetime="86400"
>         keylife="86400"
>         keyexchange="ikev1"
>
> ipsec.secrets:
>
> 10.132.154.157 10.132.154.158 : PSK "XXXXXXXXXX"
>
> -------------------------------------------------------------------------------
>
> Cisco configuration:
>
> crypto isakmp key XXXXXXXXXX address 10.132.154.157
>
> crypto ipsec transform-set vpn_TS2 esp-3des esp-md5-hmac
>
> crypto isakmp policy 2
> encr 3des
> hash md5
> authentication pre-share
> group 2
>
>
> crypto map Company1 2 ipsec-isakmp
> description connected Company1
> set peer 10.132.154.157
> set security-association lifetime seconds 86400
> set transform-set vpn_TS2
> set pfs group2
> match address Company1
>
> ip access-list extended Company1
> permit ip host 10.132.154.153 host 10.132.219.70
> permit ip host 10.132.154.154 host 10.132.219.70
> permit ip host 10.132.154.155 host 10.132.219.70
> permit ip host 10.132.154.156 host 10.132.219.70
>
>
> ---------------------------------------------------------------------------------
>
> "ipsec status" output:
>
> Security Associations (2 up, 0 connecting):
> Tunnel_1[8]: ESTABLISHED 17 hours ago,
> 10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]
>
>
> "ipsec up Tunnel_1" output:
>
>
> initiating Main Mode IKE_SA Tunnel_1[10] to 10.132.154.158
> generating ID_PROT request 0 [ SA V V V ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed ID_PROT response 0 [ SA ]
> generating ID_PROT request 0 [ KE No ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed ID_PROT response 0 [ KE No V V V V ]
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed ID_PROT response 0 [ ID HASH ]
> IKE_SA Tunnel_1[10] established between
> 10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]
> scheduling reauthentication in 85675s
> maximum IKE_SA lifetime 86215s
> generating QUICK_MODE request 714104555 [ HASH SA No ID ID ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed INFORMATIONAL_V1 request 86997070 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify




More information about the Users mailing list