[strongSwan] ERROR in TUNEL BETWEEN ASA AND Strong swan

Amine Eddarkaoui drkamine at gmail.com
Mon Sep 28 22:21:38 CEST 2015 

hello all ,

my configuration in strong swan is

config setup # strictcrlpolicy=yes # uniqueids = no

conn %default
ikelifetime=86400s
keylife=36000s
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
mobike=no

conn ciscoios
left=@IP STRONGSWAN
leftsubnet=172.16.1.0/24
leftid=@IPSTONGSWAN
leftfirewall=yes
right=IP ASA
rightsubnet=IP PRIVE
rightid=IP ASA
pfs=yes
auto=add
ike=aes256-sha512-modp1536
esp=aes256-sha1
keyexchange=ikev2

include /var/lib/strongswan/ipsec.conf.inc

error is :
initiating IKE_SA ciscoios5 <https://wiki.strongswan.org/issues/1136#fn5> to
@IP ASA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from @IPSTRONGSWAN500
<https://wiki.strongswan.org/issues/1136#fn500> to @IP ASA500
<https://wiki.strongswan.org/issues/1136#fn500>
received packet: from @IP ASA [500] to @IP STRONG500
<https://wiki.strongswan.org/issues/1136#fn500>
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]
received unknown vendor id:
43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4 f:4e
received unknown vendor id:
43:49:53:43:4f:28:43:4f:50:59:52:49:47:48:54:29:26:4
3:6f:70:79:72:69:67:68:74:20:28:63:29:20:32:30:30:39:20:43:69:73:63:6f:20:53:79:
73:74:65:6d:73:2c:20:49:6e:63:2e
received unknown vendor id: 43:49:53:43:4f:2d:47:52:45:2d:4d:4f:44:45:02
received unknown vendor id: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
remote host is behind NAT
authentication of '178.32.180.245' (myself) with pre-shared key
establishing CHILD_SA ciscoios
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(EAP_ON LY) ]
sending packet: from @IPSTRONG4500
<https://wiki.strongswan.org/issues/1136#fn4500> to ASA [4500]
received packet: from ASA [4500] to STRONG [4500]
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '192.168.255.1' with pre-shared key successful
constraint check failed: identity @IP ASA required
selected peer config 'ciscoios' inacceptable
no alternative config found
-- 
- VMware Certified Professional 5 – Data Center Virtualization (VCP5-DCV)
- Ingénieur Microsoft
- Ingénieur CISCO
- Administrateur Linux Senior
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150928/51db84dc/attachment.html>

More information about the Users mailing list