[strongSwan] Unable to connect with Cisco VPN client

Yo Tu supercoco at gmail.com
Fri Oct 23 13:16:57 CEST 2015 

Hello

I have tried to make this to work for some days without success. I have
read documentation, forums...
I just need to enable a Cisco VPN client roadwarrior to access
10.10.10.0/24 subnet in x.y.z.d Strongswan server ; with Split tunneling.

I will appreciate any clue to achieve the connection! I am pretty sure the
issue is very simple ...but I´m not able to see it.

I am using CentOS Linux release 7.1.1503  with latest strongswan version:
[root at Strongswan ~]#  strongswan --version
Linux strongSwan U5.3.2/K3.10.0-123.4.4.el7.x86_64


Here you have the server configuration:


# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"


conn %default
        ikelifetime=28800
        keylife=60m
        rekeymargin=3m
        keyingtries=1

conn roadwarrior
        keyexchange=ikev1
        esp=aes128-sha1!
        ike=aes128-sha1-modp1024!
        aggressive = yes
        left=x.y.z.d        <<server´s public IP address
        leftid=@group    << I use group authentication in Cisco´s VPN client
        leftauth=psk
        leftsubnet=10.10.10.0/24        <<<server´s private LAN
        right=%any
        rightsourceip=10.10.20.0/24  <<IP range to be assigned to
roadwarriors
        rightsubnet=0.0.0.0/0            << to accept leftsubnet network
        rightauth=psk
        rightauth2=xauth
        xauth=server
        auto=add


The ipsec.secrets file:
x.y.z.d %any : PSK "pskpassword"
x.y.z.d @group : PSK "pskpassword"

#users
john.doe : XAUTH "password"

##############


and here´s what I added to strongswan.conf:

        cisco_unity = yes
        split-include=10.10.10.0/24
        split-exclude=0.0.0.0/0
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes

Please, just take a look to the log after a try:
Oct 23 13:04:00 Strongswan charon: 10[MGR] check-in of IKE_SA successful.
Oct 23 13:04:00 Strongswan charon: 04[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:00 Strongswan charon: 04[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:00 Strongswan charon: 04[MGR] check-in of IKE_SA successful.
Oct 23 13:04:00 Strongswan charon: 02[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500]
Oct 23 13:04:00 Strongswan charon: 02[NET] waiting for data on sockets
Oct 23 13:04:00 Strongswan charon: 11[MGR] checkout IKE_SA by message
Oct 23 13:04:00 Strongswan charon: 11[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:00 Strongswan charon: 11[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500] (188 bytes)
Oct 23 13:04:00 Strongswan charon: 11[ENC] unknown attribute type (28683)
Oct 23 13:04:00 Strongswan charon: 11[ENC] unknown attribute type (28684)
Oct 23 13:04:00 Strongswan charon: 11[ENC] parsed TRANSACTION request
1315079114 [ HASH CPRQ(ADDR MASK DNS NBNS EXP U_BANNER U_SAVEPWD U_DEFDOM
U_SPLITINC U_SPLITDNS U_PFS (28683) U_BKPSRV (28684) VER U_FWTYPE
U_DDNSHOST) ]
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing INTERNAL_IP4_ADDRESS
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing INTERNAL_IP4_NETMASK
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing INTERNAL_IP4_DNS
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing INTERNAL_IP4_NBNS
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing
INTERNAL_ADDRESS_EXPIRY attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_BANNER attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_SAVE_PASSWD
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_DEF_DOMAIN
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_SPLIT_INCLUDE
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_SPLITDNS_NAME
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_PFS attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing (28683) attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_BACKUP_SERVERS
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing (28684) attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing APPLICATION_VERSION
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_FW_TYPE
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] processing UNITY_DDNS_HOSTNAME
attribute
Oct 23 13:04:00 Strongswan charon: 11[IKE] peer requested virtual IP %any
Oct 23 13:04:00 Strongswan charon: 11[CFG] reassigning offline lease to
'john.doe'
Oct 23 13:04:00 Strongswan charon: 11[IKE] assigning virtual IP 10.10.20.1
to peer 'john.doe'
Oct 23 13:04:00 Strongswan charon: 11[ENC] generating TRANSACTION response
1315079114 [ HASH CPRP(ADDR U_LOCALLAN) ]
Oct 23 13:04:00 Strongswan charon: 11[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145] (92 bytes)
Oct 23 13:04:00 Strongswan charon: 11[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:00 Strongswan charon: 11[MGR] check-in of IKE_SA successful.
Oct 23 13:04:00 Strongswan charon: 03[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145]
Oct 23 13:04:00 Strongswan charon: 02[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500]
Oct 23 13:04:00 Strongswan charon: 02[NET] waiting for data on sockets
Oct 23 13:04:00 Strongswan charon: 12[MGR] checkout IKE_SA by message
Oct 23 13:04:00 Strongswan charon: 12[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:00 Strongswan charon: 12[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500] (1036 bytes)
Oct 23 13:04:00 Strongswan charon: 12[ENC] parsed QUICK_MODE request
1844352540 [ HASH SA No ID ID ]
Oct 23 13:04:00 Strongswan charon: 12[CFG] looking for a child config for
0.0.0.0/0 === 10.10.20.1/32
Oct 23 13:04:00 Strongswan charon: 12[CFG] proposing traffic selectors for
us:
Oct 23 13:04:00 Strongswan charon: 12[CFG]  10.10.10.0/24
Oct 23 13:04:00 Strongswan charon: 12[CFG] proposing traffic selectors for
other:
Oct 23 13:04:00 Strongswan charon: 12[CFG]  0.0.0.0/0
Oct 23 13:04:00 Strongswan charon: 12[CFG]   candidate "roadwarrior" with
prio 1+1
Oct 23 13:04:00 Strongswan charon: 12[CFG] found matching child config
"roadwarrior" with prio 2
Oct 23 13:04:00 Strongswan charon: 12[CFG] selecting traffic selectors for
other:
Oct 23 13:04:00 Strongswan charon: 12[CFG]  config: 0.0.0.0/0, received:
10.10.20.1/32 => match: 10.10.20.1/32
Oct 23 13:04:00 Strongswan charon: 12[CFG] selecting traffic selectors for
us:
Oct 23 13:04:00 Strongswan charon: 12[CFG]  config: 10.10.10.0/24,
received: 0.0.0.0/0 => match: 10.10.10.0/24
Oct 23 13:04:00 Strongswan charon: 12[CFG] selecting proposal:
Oct 23 13:04:00 Strongswan charon: 12[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Oct 23 13:04:00 Strongswan charon: 12[CFG] selecting proposal:
Oct 23 13:04:00 Strongswan charon: 12[CFG]   no acceptable
ENCRYPTION_ALGORITHM found
Oct 23 13:04:00 Strongswan charon: 12[CFG] selecting proposal:
Oct 23 13:04:00 Strongswan charon: 12[CFG]   no acceptable
INTEGRITY_ALGORITHM found
Oct 23 13:04:00 Strongswan charon: 12[CFG] selecting proposal:
Oct 23 13:04:00 Strongswan charon: 12[CFG]   proposal matches
Oct 23 13:04:00 Strongswan charon: 12[CFG] received proposals:
ESP:AES_CBC_256/HMAC_MD5_96/NO_EXT_SEQ,
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_MD5_96/NO_EXT_SEQ,
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ,
ESP:DES_CBC/HMAC_MD5_96/NO_EXT_SEQ, ESP:NULL/HMAC_MD5_96/NO_EXT_SEQ,
ESP:NULL/HMAC_SHA1_96/NO_EXT_SEQ
Oct 23 13:04:00 Strongswan charon: 12[CFG] configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 23 13:04:00 Strongswan charon: 12[CFG] selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 23 13:04:00 Strongswan charon: 12[IKE] received 2147483s lifetime,
configured 3600s
Oct 23 13:04:00 Strongswan charon: 12[KNL] got SPI ccd606c3
Oct 23 13:04:00 Strongswan charon: 12[ENC] generating QUICK_MODE response
1844352540 [ HASH SA No ID ID ]
Oct 23 13:04:00 Strongswan charon: 12[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145] (188 bytes)
Oct 23 13:04:00 Strongswan charon: 12[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:00 Strongswan charon: 12[MGR] check-in of IKE_SA successful.
Oct 23 13:04:00 Strongswan charon: 03[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145]
Oct 23 13:04:01 Strongswan charon: 02[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500]
Oct 23 13:04:01 Strongswan charon: 02[NET] waiting for data on sockets
Oct 23 13:04:01 Strongswan charon: 06[MGR] checkout IKE_SA by message
Oct 23 13:04:01 Strongswan charon: 06[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:01 Strongswan charon: 06[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500] (76 bytes)
Oct 23 13:04:01 Strongswan charon: 06[ENC] parsed INFORMATIONAL_V1 request
1529379188 [ HASH D ]
Oct 23 13:04:01 Strongswan charon: 06[IKE] received DELETE for ESP CHILD_SA
with SPI a6a084da
Oct 23 13:04:01 Strongswan charon: 06[IKE] CHILD_SA not found, ignored
Oct 23 13:04:01 Strongswan charon: 06[IKE] activating new tasks
Oct 23 13:04:01 Strongswan charon: 06[IKE] nothing to initiate
Oct 23 13:04:01 Strongswan charon: 06[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:01 Strongswan charon: 06[MGR] check-in of IKE_SA successful.
Oct 23 13:04:01 Strongswan charon: 14[MGR] checkout IKE_SA
Oct 23 13:04:01 Strongswan charon: 14[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:01 Strongswan charon: 14[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:01 Strongswan charon: 14[MGR] check-in of IKE_SA successful.
Oct 23 13:04:01 Strongswan charon: 13[MGR] checkout IKE_SA
Oct 23 13:04:01 Strongswan charon: 13[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:01 Strongswan charon: 13[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:01 Strongswan charon: 13[MGR] check-in of IKE_SA successful.
Oct 23 13:04:04 Strongswan charon: 04[MGR] checkout IKE_SA
Oct 23 13:04:04 Strongswan charon: 04[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:04 Strongswan charon: 04[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:04 Strongswan charon: 04[MGR] check-in of IKE_SA successful.
Oct 23 13:04:04 Strongswan charon: 11[MGR] checkout IKE_SA
Oct 23 13:04:04 Strongswan charon: 11[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:04 Strongswan charon: 11[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:04 Strongswan charon: 11[MGR] check-in of IKE_SA successful.
Oct 23 13:04:11 Strongswan charon: 02[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500]
Oct 23 13:04:11 Strongswan charon: 02[NET] waiting for data on sockets
Oct 23 13:04:11 Strongswan charon: 13[MGR] checkout IKE_SA by message
Oct 23 13:04:11 Strongswan charon: 13[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:11 Strongswan charon: 13[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500] (92 bytes)
Oct 23 13:04:11 Strongswan charon: 13[ENC] parsed INFORMATIONAL_V1 request
963975998 [ HASH N(DPD) ]
Oct 23 13:04:11 Strongswan charon: 13[IKE] queueing ISAKMP_DPD task
Oct 23 13:04:11 Strongswan charon: 13[IKE] activating new tasks
Oct 23 13:04:11 Strongswan charon: 13[IKE]   activating ISAKMP_DPD task
Oct 23 13:04:11 Strongswan charon: 13[ENC] generating INFORMATIONAL_V1
request 2712358554 [ HASH N(DPD_ACK) ]
Oct 23 13:04:11 Strongswan charon: 13[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145] (92 bytes)
Oct 23 13:04:11 Strongswan charon: 13[IKE] activating new tasks
Oct 23 13:04:11 Strongswan charon: 13[IKE] nothing to initiate
Oct 23 13:04:11 Strongswan charon: 13[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:11 Strongswan charon: 13[MGR] check-in of IKE_SA successful.
Oct 23 13:04:11 Strongswan charon: 03[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145]
Oct 23 13:04:17 Strongswan charon: 14[MGR] checkout IKE_SA
Oct 23 13:04:17 Strongswan charon: 14[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:17 Strongswan charon: 14[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:17 Strongswan charon: 14[MGR] check-in of IKE_SA successful.
Oct 23 13:04:21 Strongswan charon: 02[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500]
Oct 23 13:04:21 Strongswan charon: 02[NET] waiting for data on sockets
Oct 23 13:04:21 Strongswan charon: 07[MGR] checkout IKE_SA by message
Oct 23 13:04:21 Strongswan charon: 07[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:21 Strongswan charon: 07[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500] (92 bytes)
Oct 23 13:04:21 Strongswan charon: 07[ENC] parsed INFORMATIONAL_V1 request
3171125211 [ HASH N(DPD) ]
Oct 23 13:04:21 Strongswan charon: 07[IKE] queueing ISAKMP_DPD task
Oct 23 13:04:21 Strongswan charon: 07[IKE] activating new tasks
Oct 23 13:04:21 Strongswan charon: 07[IKE]   activating ISAKMP_DPD task
Oct 23 13:04:21 Strongswan charon: 07[ENC] generating INFORMATIONAL_V1
request 2784795614 [ HASH N(DPD_ACK) ]
Oct 23 13:04:21 Strongswan charon: 07[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145] (92 bytes)
Oct 23 13:04:21 Strongswan charon: 07[IKE] activating new tasks
Oct 23 13:04:21 Strongswan charon: 07[IKE] nothing to initiate
Oct 23 13:04:21 Strongswan charon: 07[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:21 Strongswan charon: 07[MGR] check-in of IKE_SA successful.
Oct 23 13:04:21 Strongswan charon: 03[NET] sending packet: from
x.y.z.d[4500] to 212.1.13.1[53145]
Oct 23 13:04:27 Strongswan charon: 07[MGR] checkout IKE_SA
Oct 23 13:04:27 Strongswan charon: 07[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:27 Strongswan charon: 07[MGR] checkin IKE_SA roadwarrior[3]
Oct 23 13:04:27 Strongswan charon: 07[MGR] check-in of IKE_SA successful.
Oct 23 13:04:31 Strongswan charon: 02[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500]
Oct 23 13:04:31 Strongswan charon: 02[NET] waiting for data on sockets
Oct 23 13:04:31 Strongswan charon: 11[MGR] checkout IKE_SA by message
Oct 23 13:04:31 Strongswan charon: 11[MGR] IKE_SA roadwarrior[3]
successfully checked out
Oct 23 13:04:31 Strongswan charon: 11[NET] received packet: from
212.1.13.1[53145] to x.y.z.d[4500] (92 bytes)
Oct 23 13:04:31 Strongswan charon: 11[ENC] parsed INFORMATIONAL_V1 request
702680579 [ HASH D ]
Oct 23 13:04:31 Strongswan charon: 11[IKE] received DELETE for IKE_SA
roadwarrior[3]
Oct 23 13:04:31 Strongswan charon: 11[IKE] deleting IKE_SA roadwarrior[3]
between x.y.z.d[gigas]...212.1.13.1[gigas]
Oct 23 13:04:31 Strongswan charon: 11[IKE] IKE_SA roadwarrior[3] state
change: ESTABLISHED => DELETING
Oct 23 13:04:31 Strongswan charon: 11[IKE] IKE_SA roadwarrior[3] state
change: DELETING => DELETING
Oct 23 13:04:31 Strongswan charon: 11[KNL] deleting SAD entry with SPI
ccd606c3  (mark 0/0x00000000)
Oct 23 13:04:31 Strongswan charon: 11[KNL] deleted SAD entry with SPI
ccd606c3 (mark 0/0x00000000)
Oct 23 13:04:31 Strongswan charon: 11[MGR] checkin and destroy IKE_SA
roadwarrior[3]
Oct 23 13:04:31 Strongswan charon: 11[IKE] IKE_SA roadwarrior[3] state
change: DELETING => DESTROYING
Oct 23 13:04:31 Strongswan charon: 11[CFG] lease 10.10.20.1 by 'john.doe'
went offline
Oct 23 13:04:31 Strongswan charon: 11[MGR] check-in and destroy of IKE_SA
successful
Oct 23 13:04:31 Strongswan charon: 12[MGR] checkout IKE_SA

thanks!!!!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151023/b0559554/attachment-0001.html>

More information about the Users mailing list