Hello Stuart, could you add leftnexthop = %defaultroute
Regards Andreas On 08/06/2010 06:59 PM, Stuart Beckett wrote: > Hello, > We are attempting to connect to a Customer, whom will not change their > device, it is a Cisco, and their config is the following: > IKE Policies (DO NOT MODIFY) > Parameter ------------------------- Value > Message encryption algorithm ------- Triple-DES > Message integrity (hash) algorithm --- SHA > Peer authentication method ---------- Preshared key > Key exchange parameters ----------- Group 2 (1024-bit)- (Diffie-Hellman > group identifier and Perfect Forward Secrecy Group) > ISAKMP established securityassociations lifetime ------------------ > 86400 seconds > IPSec Parameters (DO NOT MODIFY) > Parameter ----------------------------- Value > Security-association (SA) establishment - ipsec-isakmp > (IKE)IPSec Mode ---------------------------- Tunnel > Mechanism for payload ----------------- ESP > ESP transform -------------------------- ESP-3DES > Hashed Message Authentication Code -- ESP-SHA-HMAC > Security-association (SA) lifetime ------- 3600 seconds (1hr) > We have agreed on a pre-shared key (PSK), it is in the ipsec.secrets file. > My side is as follows: > ---- ipsec.conf > config setup > plutodebug=control > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > # nat_traversal=yes > # charonstart=no > # plutostart=no > # Add connections here. > conn Þfault > left=71.5.36.91 > > conn one > ## Basic settings > type=tunnel > auto=start > rekey=yes > mobike=no > authby=psk > ## Diffie-Helman group 2 (1024 bits) > pfs=yes > ## IKE settings > # required: 3DES, SHA, DH Group 2 (1024 bits) > # required: Key lifetime 86400s > ike=3des-sha-modp1024 > ikelifetime=86400s > ## ESP settings > # required: ESP-3DES, ESP-SHA-HMAC > # required: SA lifetime 3600s > esp=3des-sha > keylife=3600s > ## Host info > leftsubnet=204.153.6.0/24 > right=144.168.7.164 > rightsubnet=144.151.202.0/24 > --- ipsec.secrets > # First connection > 71.5.36.91 144.168.7.164: PSK "testFirst" > --- ipsec statusall > 000 interface lo/lo 127.0.0.1:500 > 000 interface lo/lo 127.0.0.2:500 > 000 interface eth0/eth0 10.195.1.249:500 > 000 interface eth1/eth1 71.5.36.91:500 > 000 interface eth2/eth2 204.153.6.1:500 > 000 %myid = (none) > 000 debug control > 000 > 000 "one": > 204.153.6.0/24===71.5.36.91...144.168.7.164===144.151.202.0/24; > unrouted; eroute owner: #0 > 000 "one": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; > rekey_fuzz: 100%; keyingtries: 3 > 000 "one": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth1; > 000 "one": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 "one": IKE algorithms wanted: 5_000-2-2, > 000 "one": IKE algorithms found: 5_192-2_160-2, > 000 "one": ESP algorithms wanted: 3_000-2, > 000 "one": ESP algorithms loaded: 3_192-2_160, > 000 > 000 #1: "one" STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT > in 14s > 000 #1: pending Phase 2 for "att" replacing #0 > 000 > Performance: > worker threads: 10 idle of 16, job queue load: 0, scheduled events: 0 > Listening IP addresses: > 10.195.1.249 > 71.5.36.91 > 204.153.6.1 > Connections: > So, there is something that is not talking. I have turned off the > firewall on this box for this testing. So for my side that is not an > issue. A packet capture shows only one packet going in each direction. > The one coming from them is a NO-PROPOSAL-CHOSEN. > The algorithms statement in the 'ipsec statusall' bothers me also. > Can anyone provide any assistance? > Thanks > Stuart Beckett ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
