Re: [strongSwan] strongswna to cisco router IPSEC problem

Mon, 11 Jun 2012 04:58:39 -0700 

try using "hash sha" in the isakmp policy section.


Germano Veit Michel
[email protected]




-----Original Message-----
From: mohsen atiq <[email protected]>
To: users <[email protected]>
Sent: Fri, Jun 8, 2012 6:16 pm
Subject: [strongSwan] strongswna to cisco router IPSEC problem



Hi 






i have cisco router and a linux box and i want IPSEC connection between them 
my Linux IPSEC configuration is 



config setup
        crlcheckinterval=180
        strictcrlpolicy=no
        plutostart=yes


conn test1
        left=192.168.40.2
        leftsubnet=192.168.20.0/24
        right=192.168.40.20
        rightsubnet=192.168.1.0/24
        pfs=no
        authby=psk
        type=tunnel
        auth=esp
        auto=start
        ike=aes256-sha1-modp1024
        esp=aes256-sha1-modp1024
        dpddelay=10s
        dpdaction=restart
        keyexchange=ikev1


and my cisco  router configuration is  



crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp key 123456 address 192.168.40.2
!
!
crypto ipsec transform-set 40.2 esp-aes 256 esp-sha-hmac
!
crypto map test-40.2 1 ipsec-isakmp
 set peer 192.168.40.2
 set transform-set 40.2
 match address 115
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
 !
!
interface FastEthernet1/0
 ip address 192.168.40.20 255.255.255.0
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map test-40.2
 !
!
interface FastEthernet1/1
 ip address 192.168.1.10 255.255.255.0
 no ip route-cache cef








access-list 115 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255


when i start strongswan and enable cisco ipsec debug i have following error in 
my cisco router


*Jun  3 22:10:50.259: IPSEC(ipsec_process_proposal): transform proposal not 
supported for identity:
    {esp-aes 256 esp-sha-hmac }
*Jun  3 22:10:50.263: ISAKMP:(1028): IPSec policy invalidated proposal with 
error 256
*Jun  3 22:10:50.263: ISAKMP:(1028): phase 2 SA policy not acceptable! (local 
192.168.40.20 remote 192.168.40.2)
*Jun  3 22:10:50.267: ISAKMP:(1028):deleting node -1251133401 error TRUE reason 
"QM rejected"
 

thanks for you help 


  





 
 
  
 
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

 

_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to