Hi, By using the cisco command "debug crypto isakmp" you should be able to troubleshoot this issue which should be caused by a misconfiguration. Make sur your transform set is correct and whether you're using group 1 or group 2.
Cheers, Steve Rigano 2010/5/12 François Van Ingelgom <[email protected]> > Hi andreas! > > I've recreated my setup and, this time, i'm not even able to establish the > tunnel. > > On the cisco it fails with error: "Notify has no hash. Rejected." > > I've attached the debug output of every device. > > I really have no idea how to sort it up and google is not a so good friend > today :) > > Thanks a lot! > > François Van Ingelgom -- PCSOL > > PS: Debug-Cisco = debug crypto isakmp + debug crypto ipsec > Debug-Strongswan = cat /var/log/messages with klips and puto debug to all > > > > > > > Le 11 mai 2010 à 17:34, Andreas Steffen a écrit : > > > left = local and right = remote > > > > is just our recommendation in order to help your orientation. > > strongSwan works equally well with left and right swapped. > > I was just wondering that remote end used private network > > addresses which are not routable. > > > > Best regards > > > > Andreas > > > > On 05/11/2010 05:20 PM, François Van Ingelgom wrote: > >> In fact, no, the strongswan side is: left=81.246.56.89 > >> > >> The Cisco IOS: right=192.168.1.218. > >> > >> I'll try to recreate the configuration tomorrow with the two ends in > >> our 81.246.56.64/27 subnet. > >> > >> From what i understood in ipsec.conf documentation left is the actual > >> local machine and right is the remote one, is that correct? > >> > >> Thanks for your help, i'll post what you asked tomorrow. > >> > >> François Van Ingelgom -- PCSOL > >> > >> > >> > >> > >> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit : > >> > >>> Hello François, > >>> > >>> I don't see anything special in your configuration file except that > >>> it looks like an Openswan configuration. > >>> > >>> I assume that the strongSwan side is > >>> > >>> right=192.168.1.218 > >>> > >>> which makes use of a port forwarding setup (NAT traversal seems not > >>> to be enabled) on the router > >>> > >>> rightnexthop=192.168.1.1 > >>> > >>> in order to be reachable from the Internet and that > >>> > >>> left=81.246.56.89 > >>> > >>> is the Cisco IOS box. In order to give you some help I would need > >>> the output of > >>> > >>> ipsec statusall > >>> > >>> and > >>> > >>> ip -s xfrm state > >>> > >>> ip -s xfrm policy > >>> > >>> after the successful connection setup and after a failed ping. > >>> > >>> Best regards > >>> > >>> Andreas > >>> > >>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote: > >>>> Hi everyone! > >>>> > >>>> I'm trying to setup Strongswan (debian package) with a Cisco > >>>> router (IOS 12.4). > >>>> > >>>> Both servers are on the same subnet (our public subnet) for > >>>> testing purposes. > >>>> > >>>> Here is my ipsec.conf for strongswan: > >>>> > >>>> version 2.0 # conforms to second version of ipsec.conf > >>>> specification > >>>> > >>>> config setup interfaces="ipsec0=eth0" conn %default > >>>> ikelifetime=86400 keylife=3600 keyingtries=%forever > >>>> authby=secret auth=esp ike=aes128-sha1-modp1024! > >>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60 > >>>> dpdtimeout=500 > >>>> > >>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89 > >>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24 > >>>> right=192.168.1.218 rightnexthop=192.168.1.1 > >>>> rightsubnet=192.168.18.0/24 > >>>> > >>>> include /etc/ipsec.d/examples/no_oe.conf > >>>> > >>>> And here is my ipsec.secrets > >>>> > >>>> 81.246.56.89: PSK "SecretTunnelPass" > >>>> > >>>> I'm sorry, i don't have the cisco config right here but it's a > >>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128 > >>>> and sha). > >>>> > >>>> In fact, the connection can be established but when i try to ping > >>>> the other end, the cisco fails claiming that he has no route for > >>>> the network connected to the strongswan.... > >>>> > >>>> I really have no idea how to set it up, and i've been searching > >>>> for a very long time now :/ > >>>> > >>>> I anybody would have any idea, hints or anything, i'll greatly > >>>> appreciate :) > >>>> > >>>> Thanks a lot > >>>> > >>>> François Van Ingelgom -- PCSOL > >>>> > > > > ====================================================================== > > Andreas Steffen [email protected] > > strongSwan - the Linux VPN Solution! www.strongswan.org > > Institute for Internet Technologies and Applications > > University of Applied Sciences Rapperswil > > CH-8640 Rapperswil (Switzerland) > > ===========================================================[ITA-HSR]== > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
