[strongSwan] Strongswan IKEv2 not working with ASA
Narsimhamurti Gujar
murti_gujar at yahoo.com
Fri Nov 15 02:32:25 CET 2013
Hello,
I am trying to interoperate Strongswan, (open source IPSec client) with ASA.
However I am getting the following error for the CHILD_SA establishment.
I am using pre-shared key for authentication. I have tried all possible combination for encryption/hash/DH group
Any pointers appreciated.
ASA console
---------------------------
ccc-sw-asa# IKEv2-PROTO-1: (1027): Failed to find a matching policy
IKEv2-PROTO-1: (1027): Received Policies:
ESP: Proposal 1: 3DES SHA96
ESP: Proposal 2: AES-CBC-128 AES-CBC-192 AES-CBC-256 3DES BLOWFISH SHA96 AES XCBC 96 MD596
IKEv2-PROTO-1: (1027): Failed to find a matching policy
IKEv2-PROTO-1: (1027): Expected Policies:
IKEv2-PROTO-1: (1027): Failed to find a matching policy
IKEv2-PROTO-1: (1027):
Strongswan console:
------------------------------
initiating IKE_SA lma[2] to 173.36.208.117
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 74.61.156.175[500] to 173.36.208.117[500] (504 bytes)
received packet: from 173.36.208.117[500] to 74.61.156.175[500] (358 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
received unknown vendor ID: 43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4f:4e
received unknown vendor ID: 43:49:53:43:4f:28:43:4f:50:59:52:49:47:48:54:29:26:43:6f:70:79:72:69:67:68:74:20:28:63:29:20:32:30:30:39:20:43:69:73:63:6f:20:53:79:73:74:65:6d:73:2c:e
received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
authentication of '74.61.156.175' (myself) with pre-shared key
establishing CHILD_SA lma
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 74.61.156.175[4500] to 173.36.208.117[4500] (332 bytes)
received packet: from 173.36.208.117[4500] to 74.61.156.175[4500] (124 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '173.36.208.117' with pre-shared key successful
IKE_SA lma[2] established between 74.61.156.175[74.61.156.175]...173.36.208.117[173.36.208.117]
scheduling reauthentication in 86193s
maximum IKE_SA lifetime 86373s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'lma' failed
Thanks,
Murti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131115/23745637/attachment.html>
More information about the Users
mailing list