[strongSwan] Two problems with cisco and sonicwall.

Jordi Casanellas matalaaranya at gmail.com
Tue Mar 21 16:38:10 CET 2017 

Hello,

Thank you very much, I have finally been able to up the tunel
correctly with the ASA.

I have three tunnels left to raise.

One against a fortigate, zyxel and a netgear.

Fortigate:

 ipsec statusall

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
  uptime: 60 seconds, since Mar 21 16:30:24 2017
  malloc: sbrk 1462272, mmap 0, used 312736, free 1149536
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  81.25.126.250
  10.200.1.1
Connections:
 evamsterdam:  81.25.126.250...46.16.59.216  IKEv1/2
 evamsterdam:   local:  [81.25.126.250] uses pre-shared key authentication
 evamsterdam:   remote: [46.16.59.216] uses pre-shared key authentication
 evamsterdam:   child:  10.200.1.0/24 === 172.20.1.0/24 TUNNEL
Routed Connections:
 evamsterdam{1}:  ROUTED, TUNNEL
 evamsterdam{1}:   10.200.1.0/24 === 172.20.1.0/24
Security Associations (1 up, 0 connecting):
 evamsterdam[3]: CONNECTING, 81.25.126.250[%any]...46.16.59.216[%any]
 evamsterdam[3]: IKEv2 SPIs: 03306b155e476faf_i* 0000000000000000_r
 evamsterdam[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD
IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE
IKE_AUTH_LIFETIME IKE_MOBIKE


iptables-save
is empty (but vpn to sonicwall and cisco is working perfectly).

Configure vpn:


config setup

conn evamsterdam

        left=81.25.126.250
        leftsubnet=10.200.1.0/24
        leftid=81.25.126.250
        right=46.16.59.216
        rightid=46.16.59.216
        rightsubnet=172.20.1.0/24
        #Encriptacio
        keyingtries=0
        esp=3des-sha1-modp1024
        ike=3des-sha1-modp1024
        keyexchange=ikev1
        authby=secret
        rekey=yes
        #lifetime
        ikelifetime=60s
        lifetime=8h
        auto=route
        #compress=no
        #forceencaps=yes

ipsec.secrets its fine.

Error in log:  no IKE config found for 81.25.126.250...95.97.32.250,
sending NO_PROPOSAL_CHOSEN

Thank you!

2017-03-21 13:58 GMT+01:00 Noel Kuntze <noel at familie-kuntze.de>:
> On 21.03.2017 13:18, Jordi Casanellas wrote:
>> My vpn is working only ping in cisco to strongswan, ping strongwsan to cisco not working.
>
>> conn evindustria
>>         leftsourceip=10.200.1.1
> That's invalid.
> Remove leftsourceip.
>
>>         esp=3des-sha1-modp1024
>>         ike=3des-sha1-modp1024
> Bad cipher suite. Upgrade that.
>
>>         # This allows the VPN to come up automatically when openswan starts
>>         auto=add
>
> That's just wrong. "auto=add" only adds the configuration to charon, but doesn't do anything else with it.
> It's neither initiated, nor used to install trap policies.
> Configure "auto=route".
>
>> Only the VPN works by pinging from the Cisco ASA to Strongwsan
>
> That's because you configured auto=add.
>
> Please stop sending HTML formatted emails. Send plaintext instead. It's unnecessarily difficult to handle it.
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>

More information about the Users mailing list