[strongSwan] EC2 > Cisco VPN 3000

Ted Lifset ted at syapse.com
Fri May 9 05:37:14 CEST 2014


Hi -

Anybody have any success/advice connecting strongswan to an end-of-life Cisco VPN 3000 Concentrator?

Am I missing something?

Thanks,

Ted

Original Message:

Hi -

I am struggling to successfully connect to a Cisco VPN 3000 Concentrator with Strongswan from an EC2 within a VPC. The peer will provide several specific boxes through the IP and my local will expose two.

The security association is established however the connection doesn’t appear to get fully established, getting stuck on QUICK_MODE.

Details of the configuration from the VPN 3000 Concentrator:

Peer Interface: PEER_EXTERNAL_IP
Connection: Bi-directional
Digital Certificate: None (Use Preshared Keys)
Certificate Transmission: Identity certificate only
Preshared Key: XXXX
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal IKE-3DES-MD5
Filter: None
IPSec NAT-T: Not checked
Bandwidth Policy: None
Routing: None
Diffie Helman : Group 2
IKE Phase 1: 1440 Minutes
IKE Phase 2: 3600 Seconds
Aggressive Mode: No
PFS: No

Local Network List:
	list of external public routable IPs
	xx.xx.xx.142/0.0.0.0.0
	…
 	xx.xx.xx.149/0.0.0.0.0

Remote Network List:
	list of external public routable IPs
	xx.xx.xx.238/0.0.0.0.0
 	xx.xx.xx.255/0.0.0.0.0

ipsec.conf

conn conn_name
        left=%defaultroute
        leftid=MY_EXTERNAL_IP
        leftsubnet=xx.xx.xx.238/32,xx.xx.xx.255/32
        leftsourceip=%config
        leftfirewall=yes
        right=PEER_EXTERNAL_IP
        rightid=PEER_EXTERNAL_IP
        rightsubnet=xx.xx.xx.142/32 … xx.xx.xx.149/32
        type=tunnel
        ike=3des-md5_128-modp1024
        esp=3des-md5_128!
        lifetime=3600s
        modeconfig=push
        dpddelay=1m
        dpdtimeout=3m
        dpdaction=clear
        auto=start

ipsec statusall:

Connections:
   conn_name:  %any... PEER_EXTERNAL_IP  IKEv1, dpddelay=60s
   conn_name:   local:  [MY_EXTERNAL_IP] uses pre-shared key authentication
   conn_name:   remote: [PEER_EXTERNAL_IP] uses pre-shared key authentication
   conn_name:   child:  xx.xx.xx.238/32 xx.xx.xx.255/32 === xx.xx.xx.142/32 …  xx.xx.xx.149/32 TUNNEL, dpdaction=clear

Security Associations (1 up, 0 connecting):
   conn_name[1]: ESTABLISHED 16 minutes ago, MY_INTERNAL_IP[MY_EXTERNAL_IP]…PEER_EXTERNAL_IP[PEER_EXTERNAL_IP]
   conn_name[1]: IKEv1 SPIs: 6183b9b43b9c5037_i* 1cb21d1a5f5c6e78_r, pre-shared key reauthentication in 23 hours
   conn_name[1]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
   conn_name[1]: Tasks queued: QUICK_MODE


Any ideas?

Thanks,
Ted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140508/75b3e7a4/attachment.html>


More information about the Users mailing list