Hi Martin, I was focusing on IKEv1 xauthrsasig due to constraints in making basic stuff work, but will definitely try to retest IKEv2 at some point next month. Thanks, Neeraj > Subject: Re: [strongSwan] Cisco ASA 5510 (8.4) Interop with StrongSwan 4.5.2 > (IKEv2) > From: [email protected] > To: [email protected] > CC: [email protected] > Date: Wed, 5 Sep 2012 14:07:44 +0200 > > Hi Neeraj, > > > The Cisco ASA is giving some strange errors and what appears to be > > some sort of proprietary IKEv2 (doubtful since people have interop > > with IOS and StrongSwan IKEv2). > > Cisco seems to use proprietary IKE fragmentation, we don't support it in > strongSwan. > > > I did attempt to compare the cisco vpn client logs with strongswan client > > logs and it appears that the cisco vpn client is detected via some custom > > fields and a different path is choosen (looks like some hidden > > authentication method) instead of the usual rsa (authby=rsasig) route. > > I'm not used to those ASA logs, ad the final log message > > > IKEv2-PLAT-1: Failed to set P1 auth to build policy > > IKEv2-PLAT-1: unable to build ikev2 policy > > IKEv2-PROTO-1: (125): Failed to locate an item in the database > > is not very helpful, either. I'd say it does not have a > policy/configuration for the received request. > > When comparing the log files, there are two fundamental differences: > > * Anyconnect requests a virtual IP using a configuration payload > exchange, your ipsec.conf does not. You may try to add > "leftsourceip=%config" to request such an IP. > * Anyconnect seems to use EAP to authenticate itself against the > ASA, your ipsec.conf, however, uses a certificate. Try to > replace "authby=rsasig" with "leftauth=eap" and > "rightauth=pubkey". This of course requires an appropriate EAP > module, but the strongSwan log should show you what the ASA is > requesting. > > Having these differences may well explain why the ASA does not have a > policy for the strongSwan request. > > Regards > Martin >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
