[strongSwan] IPsec tunnel with Cisco ASA 5545
Ali Masoudi
masoudi1983 at gmail.com
Tue May 21 08:41:08 CEST 2013
Sorry but I found the problem. It was on the cisco side, they forgot
to bind cryp map config with network interface.
Best wishes
Ali
On Mon, May 20, 2013 at 8:27 AM, Ali Masoudi <masoudi1983 at gmail.com> wrote:
> Hi
>
> I was trying to bring up an IPSec connection between strongswan 5.0.1 and
> cisco, but I was not successful. Only phase 1 established. I paste the
> configuration below. please help me find my mistake.
>
> By the way, I read below text in strongswan.org. it seems the only way is
> using XAUTH. am I right?
>
> "IKEv1 Mode Config Push Mode is not implemented yet. This might be an issue
> with Cisco Access Concentrators which usually force Mode Config Push Mode in
> the absence of XAUTH-based authentication."
>
> Thanks in advance
> Ali
>
>
> Strongswan 5.0.1 Configuration:
>
> config setup
> uniqueids="no"
> strictcrlpolicy="no"
>
> conn %default
> keyingtries="%forever"
> leftsendcert="always"
>
> conn Tunnel_1
> authby="psk"
> auto="start"
> type="tunnel"
> compress="no"
> rekeymargin="540s"
> left="10.132.154.157"
> leftsubnet="10.132.154.152/29"
> right="10.132.154.158"
> rightsubnet="10.132.219.70/32"
> ike="3des-md5-modp1024"
> esp="3des-md5-modp1024"
> #modeconfig = "push"
> ikelifetime="86400"
> keylife="86400"
> keyexchange="ikev1"
>
> ipsec.secrets:
>
> 10.132.154.157 10.132.154.158 : PSK "XXXXXXXXXX"
>
> -------------------------------------------------------------------------------
>
> Cisco configuration:
>
> crypto isakmp key XXXXXXXXXX address 10.132.154.157
>
> crypto ipsec transform-set vpn_TS2 esp-3des esp-md5-hmac
>
> crypto isakmp policy 2
> encr 3des
> hash md5
> authentication pre-share
> group 2
>
>
> crypto map Company1 2 ipsec-isakmp
> description connected Company1
> set peer 10.132.154.157
> set security-association lifetime seconds 86400
> set transform-set vpn_TS2
> set pfs group2
> match address Company1
>
> ip access-list extended Company1
> permit ip host 10.132.154.153 host 10.132.219.70
> permit ip host 10.132.154.154 host 10.132.219.70
> permit ip host 10.132.154.155 host 10.132.219.70
> permit ip host 10.132.154.156 host 10.132.219.70
>
>
> ---------------------------------------------------------------------------------
>
> "ipsec status" output:
>
> Security Associations (2 up, 0 connecting):
> Tunnel_1[8]: ESTABLISHED 17 hours ago,
> 10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]
>
>
> "ipsec up Tunnel_1" output:
>
>
> initiating Main Mode IKE_SA Tunnel_1[10] to 10.132.154.158
> generating ID_PROT request 0 [ SA V V V ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed ID_PROT response 0 [ SA ]
> generating ID_PROT request 0 [ KE No ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed ID_PROT response 0 [ KE No V V V V ]
> generating ID_PROT request 0 [ ID HASH ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed ID_PROT response 0 [ ID HASH ]
> IKE_SA Tunnel_1[10] established between
> 10.132.154.157[10.132.154.157]...10.132.154.158[10.132.154.158]
> scheduling reauthentication in 85675s
> maximum IKE_SA lifetime 86215s
> generating QUICK_MODE request 714104555 [ HASH SA No ID ID ]
> sending packet: from 10.132.154.157[500] to 10.132.154.158[500]
> received packet: from 10.132.154.158[500] to 10.132.154.157[500]
> parsed INFORMATIONAL_V1 request 86997070 [ HASH N(NO_PROP) ]
> received NO_PROPOSAL_CHOSEN error notify
More information about the Users
mailing list