[strongSwan] ERROR in TUNEL BETWEEN ASA AND Strong swan

Tormod Macleod tormod.macleod at gmail.com
Fri Oct 2 17:55:16 CEST 2015


Hi Amine,

I noticed that you selected pfs=yes but you have not defined a
Diffie-Hellman group in the esp parameter. In order to enforce pfs for the
child sa you need to specify a Diffie-Hellman group in the esp parameter.

https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

Not sure if this is your problem but it may help.

Cheers,


Tormod

On 28 September 2015 at 21:21, Amine Eddarkaoui <drkamine at gmail.com> wrote:

> hello all ,
>
> my configuration in strong swan is
>
> config setup # strictcrlpolicy=yes # uniqueids = no
>
> conn %default
> ikelifetime=86400s
> keylife=36000s
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=secret
> mobike=no
>
> conn ciscoios
> left=@IP STRONGSWAN
> leftsubnet=172.16.1.0/24
> leftid=@IPSTONGSWAN
> leftfirewall=yes
> right=IP ASA
> rightsubnet=IP PRIVE
> rightid=IP ASA
> pfs=yes
> auto=add
> ike=aes256-sha512-modp1536
> esp=aes256-sha1
> keyexchange=ikev2
>
> include /var/lib/strongswan/ipsec.conf.inc
>
> error is :
> initiating IKE_SA ciscoios5 <https://wiki.strongswan.org/issues/1136#fn5> to
> @IP ASA
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from @IPSTRONGSWAN500
> <https://wiki.strongswan.org/issues/1136#fn500> to @IP ASA500
> <https://wiki.strongswan.org/issues/1136#fn500>
> received packet: from @IP ASA [500] to @IP STRONG500
> <https://wiki.strongswan.org/issues/1136#fn500>
> parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V
> ]
> received unknown vendor id:
> 43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4 f:4e
> received unknown vendor id:
> 43:49:53:43:4f:28:43:4f:50:59:52:49:47:48:54:29:26:4
> 3:6f:70:79:72:69:67:68:74:20:28:63:29:20:32:30:30:39:20:43:69:73:63:6f:20:53:79:
> 73:74:65:6d:73:2c:20:49:6e:63:2e
> received unknown vendor id: 43:49:53:43:4f:2d:47:52:45:2d:4d:4f:44:45:02
> received unknown vendor id: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
> remote host is behind NAT
> authentication of '178.32.180.245' (myself) with pre-shared key
> establishing CHILD_SA ciscoios
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> N(EAP_ON LY) ]
> sending packet: from @IPSTRONG4500
> <https://wiki.strongswan.org/issues/1136#fn4500> to ASA [4500]
> received packet: from ASA [4500] to STRONG [4500]
> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
> authentication of '192.168.255.1' with pre-shared key successful
> constraint check failed: identity @IP ASA required
> selected peer config 'ciscoios' inacceptable
> no alternative config found
> --
> - VMware Certified Professional 5 – Data Center Virtualization (VCP5-DCV)
> - Ingénieur Microsoft
> - Ingénieur CISCO
> - Administrateur Linux Senior
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151002/b86ed7ef/attachment.html>


More information about the Users mailing list