Re: [strongSwan] Try to use Cisco VPN client

Wed, 06 Jan 2010 09:45:29 -0800 

Thanks Daniel, here it it.

000 Status of IKEv1 pluto daemon (strongSwan 4.3.6dr5):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 167.22.15.11:4500
000 interface eth0/eth0 167.22.15.11:500
000 interface eth0/eth0 10.0.0.1:4500
000 interface eth0/eth0 10.0.0.1:500
000 %myid = '%any'
000 loaded plugins: sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp
random curl sqlite attr-sql xcbc
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+natt+oppo+controlmore
000
000 "cisco": 0.0.0.0/0===167.22.15.11[C=CN, O=LD,
CN=no2]---167.22.15.1...%any[%any]===10.3.0.0/24; unrouted; eroute
owner: #0
000 "cisco":   CAs: "C=CN, O=LDrive, CN=LVPN"...%any
000 "cisco":   ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 1
000 "cisco":   policy: PUBKEY+ENCRYPT+TUNNEL+PFS; prio: 0,24; interface: eth0;
000 "cisco":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000

/etc/ipsec.conf
config setup
        crlcheckinterval=180
        nat_traversal=yes
        charonstart=no
        strictcrlpolicy=no
        plutostart=yes
        plutodebug=all
        plutostderrlog=/var/log/debug

conn %default
        ikelifetime=60m
        keylife=20m
        keyexchange=ikev1
        rekeymargin=3m
        keyingtries=1

conn cisco
        left=167.22.15.11
        leftnexthop=167.22.15.1
        leftcert=no2.crt
        #left...@test
        leftsourceip=10.3.0.1
        leftsubnet=0.0.0.0/0
        right=%any
        rightsourceip=10.3.0.2
        rightsubnet=10.3.0.0/24
        auto=start


some debug log:

| preparse_isakmp_policy: peer requests PUBKEY+XAUTHRSASIG+XAUTHSERVER
authentication
"cisco"[3] 218.240.6.69:56131 #3: responding to Main Mode from unknown
peer 218.240.6.69:56131
"cisco"[3] 218.240.6.69:56131 #3: policy does not allow XAUTHInitRSA
authentication.  Attribute OAKLEY_AUTHENTICATION_METHOD
"cisco"[3] 218.240.6.69:56131 #3: peer requested 2147483 seconds which
exceeds our limit 86400 seconds
"cisco"[3] 218.240.6.69:56131 #3: lifetime reduced to 86400 seconds
(todo: IPSEC_RESPONDER_LIFETIME notification)



On Thu, Jan 7, 2010 at 1:29 AM, Daniel Mentz
<[email protected]> wrote:
>> 167.22.15.11
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to