Ok, thanks for the clarification!
On Fri, May 21, 2021 at 12:30 PM csszep wrote:
> Hi!
>
> Not only Cisco ASA. Checkpoint, Fortinet, Juniper only support single set
> of subnets per CHILD_SA too.
>
> https://wiki.strongswan.org/projects/strongswan/wiki/Checkpoint
> https://wiki.strongswan.org/pr
Hi!
Not only Cisco ASA. Checkpoint, Fortinet, Juniper only support single set
of subnets per CHILD_SA too.
https://wiki.strongswan.org/projects/strongswan/wiki/Checkpoint
https://wiki.strongswan.org/projects/strongswan/wiki/Fortinet
https://wiki.strongswan.org/projects/strongswan/wiki/Juniper
htt
It turns out that the Cisco ASA has a bug CSCue42170 with open status that
prevents multiple traffic selectors from being supported in one child SA in
IKEv2.
For more information:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCue42170/?reffering_site=dumpcr
Known affected releases: 8.6(1), 9.1(
Finally solved! Tried TS one after another. To put it mildly, I'm
surprised. it turns out that the equipment on the remote side is configured
in such a way that for each TS I had to set up a separate connection. This
configuration working fine now:
ikev2 crypto-primary active esp \
from 10.2
Tobias,
I replaced the OpenBSD with the same configuration:
-> % uname -r -p
6.9 amd64
Now, with this configuration:
ikev2 crypto-primary active esp \
from any to any \
peer 7.7.7.7 \
ikesa auth hmac-sha2-256 enc aes-256 prf hmac-sha2-256 group modp2048
\
childsa auth hma
On Wed, May 12, 2021 at 12:06:21PM +0300, Денис Давыдов wrote:
> I tried to specify an explicit parameter -T to disable NAT-Traversal
> auto-detection and use `local' parameter. Also according to your advice
> tried a configuration like this:
>
> ikev2 crypto-primary active esp \
> from any
I tried to specify an explicit parameter -T to disable NAT-Traversal
auto-detection and use `local' parameter. Also according to your advice
tried a configuration like this:
ikev2 crypto-primary active esp \
from any to any \
local 1.1.1.1 peer 7.7.7.7 \
ikesa auth hmac-sha2-256
>From my limited understanding of cisco ASA configs i can't see any
obvious problems.
You could try setting 'from any to any' on your side to see how the server
responds. If the server is configured to narrow traffic selectors, the handshake
should succeed and the log will tell you the exact traff
Tobias,
The remote side gave me their Cisco ASA 5585 settings and they showed the
logs:
object network Svc_2_2_2_2
host 2.2.2.2
object network Svc_3_3_3_3
host 3.3.3.3
crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA2
protocol esp encryption aes-256
protocol esp integrity sha-256
object-group ne
On Fri, May 07, 2021 at 12:17:35PM +0300, Денис Давыдов wrote:
> Hello all,
>
> I can't understand why I got SA_INIT timeout:
> May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free:
> SA_INIT timeout
>
> 1.1.1.1 (crypto-gw2) - my host
> 7.7.7.7 - our isp provider (some of cisco
Hello all,
I can't understand why I got SA_INIT timeout:
May 5 13:18:54 crypto-gw2 iked[65530]: spi=0x73bcd531eb2e8899: sa_free:
SA_INIT timeout
1.1.1.1 (crypto-gw2) - my host
7.7.7.7 - our isp provider (some of cisco devices)
/etc/iked.conf (on 1.1.1.1):
ikev2 crypto-primary active esp \
11 matches
Mail list logo
