Closing the loop on this thread. Had the remote end switch to a Cisco ASA
(with no changes on our strongswan end) and the connection came up.
Here is the relevant log entry from the Cisco 3000 series end. I am
guessing we could have tried "nat_traversal = no" ?
56415 09/20/2016 08:56:57.190 SEV=3 IKE/134 RPT=48544 50.15.201.20
Group [50.15.201.20]
Mismatch: Configured LAN-to-LAN proposal differs from negotiated proposal.
Verify local and remote LAN-to-LAN connection lists.
56418 09/20/2016 08:56:57.590 SEV=5 IKE/172 RPT=2762 50.15.201.20
Group [50.15.201.20]
Automatic NAT Detection Status:
Remote end IS behind a NAT device
This end is NOT behind a NAT device
On Mon, Sep 19, 2016 at 4:06 AM, Tobias Brunner
wrote:
> Hi Mahesh,
>
> > It seems that phase 1 IKE is working but not phase 2 ESP. I've tried
> > different settings for ike= to no avail. Config and brief log below and
> > extended log attached.
>
> You should check the responder's log. It seems to immediately delete
> the IKE_SA after receiving the Quick Mode request, perhaps it also logs
> the reason why it did so.
>
> Regards,
> Tobias
>
>
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
