[strongSwan] Phase 2 ESP Failing between StrongSWAN 5.3.5 and Cisco VPN 3000
Mahesh Neelakanta
neelakanta at gmail.com
Sun Oct 2 21:23:55 CEST 2016
Closing the loop on this thread. Had the remote end switch to a Cisco ASA
(with no changes on our strongswan end) and the connection came up.
Here is the relevant log entry from the Cisco 3000 series end. I am
guessing we could have tried "nat_traversal = no" ?
56415 09/20/2016 08:56:57.190 SEV=3 IKE/134 RPT=48544 50.15.201.20
Group [50.15.201.20]
Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.
Verify local and remote LAN-to-LAN connection lists.
56418 09/20/2016 08:56:57.590 SEV=5 IKE/172 RPT=2762 50.15.201.20
Group [50.15.201.20]
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end is NOT behind a NAT device
On Mon, Sep 19, 2016 at 4:06 AM, Tobias Brunner <tobias at strongswan.org>
wrote:
> Hi Mahesh,
>
> > It seems that phase 1 IKE is working but not phase 2 ESP. I've tried
> > different settings for ike= to no avail. Config and brief log below and
> > extended log attached.
>
> You should check the responder's log. It seems to immediately delete
> the IKE_SA after receiving the Quick Mode request, perhaps it also logs
> the reason why it did so.
>
> Regards,
> Tobias
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161002/779d819d/attachment.html>
More information about the Users
mailing list