[strongSwan] EC2 > Cisco VPN 3000

Noel Kuntze noel at familie-kuntze.de
Fri May 9 08:37:05 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Ted,

Did you try enabling logging [1] and what do you see there? 

[1] http://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 09.05.2014 05:37, schrieb Ted Lifset:
> 
> Hi -
> 
> Anybody have any success/advice connecting strongswan to an end-of-life Cisco VPN 3000 Concentrator?
> 
> Am I missing something?
> 
> Thanks,
> 
> Ted
> 
> Original Message:
> 
> Hi - I am struggling to successfully connect to a Cisco VPN 3000 Concentrator with Strongswan from an EC2 within a VPC. The peer will provide several specific boxes through the IP and my local will expose two. The security association is established however the connection doesn’t appear to get fully established, getting stuck on QUICK_MODE. Details of the configuration from the VPN 3000 Concentrator: Peer Interface: PEER_EXTERNAL_IP Connection: Bi-directional Digital Certificate: None (Use Preshared Keys) Certificate Transmission: Identity certificate only Preshared Key: XXXX Authentication: ESP/MD5/HMAC-128 Encryption: 3DES-168 IKE Proposal IKE-3DES-MD5 Filter: None IPSec NAT-T: Not checked Bandwidth Policy: None Routing: None Diffie Helman : Group 2 IKE Phase 1: 1440 Minutes IKE Phase 2: 3600 Seconds Aggressive Mode: No PFS: No Local Network List: list of external public routable IPs xx.xx.xx.142/0.0.0.0.0 … xx.xx.xx.149/0.0.0.0.0 Remote Network List: list of external
> public routable IPs xx.xx.xx.238/0.0.0.0.0 xx.xx.xx.255/0.0.0.0.0 ipsec.conf conn conn_name left=%defaultroute leftid=MY_EXTERNAL_IP leftsubnet=xx.xx.xx.238/32,xx.xx.xx.255/32 leftsourceip=%config leftfirewall=yes right=PEER_EXTERNAL_IP rightid=PEER_EXTERNAL_IP rightsubnet=xx.xx.xx.142/32 … xx.xx.xx.149/32 type=tunnel ike=3des-md5_128-modp1024 esp=3des-md5_128! lifetime=3600s modeconfig=push dpddelay=1m dpdtimeout=3m dpdaction=clear auto=start ipsec statusall: Connections: conn_name: %any... PEER_EXTERNAL_IP IKEv1, dpddelay=60s conn_name: local: [MY_EXTERNAL_IP] uses pre-shared key authentication conn_name: remote: [PEER_EXTERNAL_IP] uses pre-shared key authentication conn_name: child: xx.xx.xx.238/32 xx.xx.xx.255/32 === xx.xx.xx.142/32 … xx.xx.xx.149/32 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): conn_name[1]: ESTABLISHED 16 minutes ago, MY_INTERNAL_IP[MY_EXTERNAL_IP]…PEER_EXTERNAL_IP[PEER_EXTERNAL_IP] conn_name[1]: IKEv1 SPIs: 6183b9b43b9c5037_i*
> 1cb21d1a5f5c6e78_r, pre-shared key reauthentication in 23 hours conn_name[1]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 conn_name[1]: Tasks queued: QUICK_MODE Any ideas? Thanks, Ted
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTbHeRAAoJEDg5KY9j7GZYnxAP/0DW+U5G68Om/f7HyM9mJUVL
cXcLwxnX68GdzSKjjqOxQCGgohrFP6T4z/cG48Y6Sk4p2pCgkPoU9PZIHWU9O5bb
aKo8nxQnkHr7pnbsuzLXwQjD1NXQ/hCF2NJmZACoFrkU0xneAsRIEtLyO6k1bfTo
+uUx0gny3z+bNK/L8q68M4qWizQ5kn1u2v4Fqx4DGJ2JUkLU0qr88f0ZhRfD0gZA
w04+CDDhJLASMmKp0qfwS0IzWPYLrkcaHJ3S3ZSb8LyVPRv19+rC5gbrXSu1cAbi
2HMO4Pj93NJ2CmT8E/YBgXJ9jcKh/b7HUi2niiHrszryI4Rkc1sYAuzAnRL1TO94
o8iGc7VG/tdKsnr8C925Y8rSN20bm/cTV0FCafhdNnm88g4x/O7GdASz2dxoDS5R
C/5SPsYL7w3F3PTBMtzqMzbNa6AIJEfd/8egBSPycSG+2ZbJdLwTl+PEc4vD1ZWi
7vuWs6y2WUQMP7wHPz3R43SLf3HNtXC1MAACr7UfldeER44uKVY99ufIlsY6v+Oa
mf87XE2adjUFV5ZUBsAW2lfUNecVkvpxvUhJb/fTI41juD9/27RUtTnknk+2vA0t
ctOSJ9+Tim06cOZp60Dj0VLVOg+FzWycLgipGUj655C8dO933FRny3uvjHYh46In
XyqpjnBYzirSYw+Urra+
=olao
-----END PGP SIGNATURE-----


More information about the Users mailing list