[strongSwan] Phase 2 ESP Failing between StrongSWAN 5.3.5 and Cisco VPN 3000

Mahesh Neelakanta neelakanta at gmail.com
Sat Sep 17 20:35:49 CEST 2016


Hi,
 I am Trying to some some VPN connectivity tests between strongswan 5.3.5
and Cisco VPN 3000 concentrator. The same strongswan config works with a
Cisco ASA but not with the Cisco VPN 3000. I've attached the strongswan
side of the logs and config is below..

It seems that phase 1 IKE is working but not phase 2 ESP. I've tried
different settings for ike= to no avail. Config and brief log below and
extended log attached.



config setup
   uniqueids = no
   charondebug = ike 2

conn %default
   left=%defaultroute
   leftid=50.15.112.15
   keyingtries=%forever
   keyexchange=ikev1
   type=tunnel
   compress=no
   authby=secret
   auto=start
   dpdaction=none
   ikelifetime=28800s
   keylife=28800s

conn vpp
   leftsubnet=50.15.201.20/32
   right=60.24.21.12
   rightid=60.24.21.12
   rightsubnet=172.5.100.40/32
   ike=aes256-sha1-modp1024
   esp=aes256-sha1-modp1024

=====================
# ipsec up vpp

received packet: from 60.24.21.12[500] to 10.20.1.18[500] (128 bytes)
parsed ID_PROT response 0 [ SA V V ]
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.20.1.18[500] to 60.24.21.12[500] (244 bytes)
received packet: from 60.24.21.12[500] to 10.20.1.18[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received XAuth vendor ID
received unknown vendor ID: a0:14:d0:24:f5:b5:55:52:db:47:15:21:de:70:63:28
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:04:01
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH ]
sending packet: from 10.20.1.18[4500] to 60.24.21.12[4500] (76 bytes)
received packet: from 60.24.21.12[4500] to 10.20.1.18[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA vpp[10275] established between
10.20.1.18[50.15.112.15]...60.24.21.12[60.24.21.12]
scheduling reauthentication in 27966s
maximum IKE_SA lifetime 28506s
generating QUICK_MODE request 960214791 [ HASH SA No KE ID ID ]
sending packet: from 10.20.1.18[4500] to 60.24.21.12[4500] (316 bytes)
received packet: from 60.24.21.12[4500] to 10.20.1.18[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3007622594 [ HASH D ]
received DELETE for IKE_SA vpp[10275]
deleting IKE_SA vpp[10275] between
10.20.1.18[50.15.112.15]...60.24.21.12[60.24.21.12]
establishing connection 'vpp' failed

=============================
thanks,
mahesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160917/c1a47330/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: prop-vpn.log
Type: application/octet-stream
Size: 66460 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160917/c1a47330/attachment-0001.obj>


More information about the Users mailing list