We did run into a problem with DH group -- they were using Group 1 and
we had to change it to Group 2.
Here's my config, we're using ipsec v4.4.1 so I have pluto running, but
we have connection and a GRE tunnel:
config setup
plutodebug=control
#plutodebug=all
plutostart=yes
charondebug=control
charonstart=no
klipsdebug=all
conn %default
ikelifetime=86400s
keylife=3600s
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=3des-md5-modp1024
esp=3des-md5
pfs=no
type=tunnel
I setup the %default because we need to go to multiple subnets on the
remote side (we don't have access to that router). The connections are:
conn cdl-gre
right=74.125.225.81
rightsubnet=10.50.254.1/32
rightprotoport=47/0
left=%defaultroute
#left=169.207.1.3
leftsubnet=10.50.0.42/32
leftsourceip=10.50.0.42
leftprotoport=47/0
leftfirewall=yes
auto=start
conn cdl-00
right=74.125.225.81
rightsubnet=10.31.70.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
conn cdl-01
right=74.125.225.81
rightsubnet=10.31.71.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
conn cdl-02
right=74.125.225.81
rightsubnet=10.31.172.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
conn cme-03
right=74.125.225.81
rightsubnet=10.31.173.0/24
left=%defaultroute
leftsubnet=10.50.42.0/24
auto=start
We're doing PSK, so in the ipsec.security we have:
169.207.1.3 74.125.225.81 : PSK "xxxPasswordHerexxx"
The config on the Cisco side that they sent us is:
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
!
!
crypto ipsec transform-set cdlvpn esp-3des esp-md5-hmac
!
!
crypto isakmp key xxxPasswordHerexxx address 169.207.1.3
!
crypto map cmevpn 47 ipsec-isakmp
description CustomerData LLC (CERT01-1805)
set peer 169.207.1.3
set transform-set cdlvpn
match address CERT01-1805
!
!
ip access-list extended CERT01-1805
permit ip 10.31.70.0 0.0.0.255 10.50.42.0 0.0.0.255
permit ip 10.31.71.0 0.0.0.255 10.50.42.0 0.0.0.255
permit ip 10.31.172.0 0.0.0.255 10.50.42.0 0.0.0.255
permit ip 10.31.173.0 0.0.0.255 10.50.42.0 0.0.0.255
permit gre host 10.50.254.1 host 10.50.0.42
!
!
On 09/28/2012 06:31 AM, Neeraj Sharma wrote:
btw I am using StrongSwan 5.0.0
-Neeraj
------------------------------------------------------------------------
From: [email protected]
To: [email protected]; [email protected]
Date: Fri, 28 Sep 2012 16:58:53 +0530
Subject: Re: [strongSwan] Cannot do IKEv1/PSK Main Mode in Cisco ASA 5510
# ipsec.conf
config setup
charondebug="dmn 1"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
aggressive=no
type=tunnel
dpdaction=clear
dpddelay=60s
conn home
left=%defaultroute
xauth_identity=user
leftid=@CiscoPSKCxnProfile
xauth = client
leftsourceip = %config
leftauth=psk
leftauth2=xauth
leftfirewall=no
right=111.222.333.444
rightsubnet=192.168.0.0/16
rightauth=psk
ike=aes-sha-modp1024
esp=aes-sha1-modp1024
auto=start
# the ipsec.secrets has the corresponding PSK and password for user
Do let me know if you see an issues?
-Neeraj
------------------------------------------------------------------------
Subject: Re: [strongSwan] Cannot do IKEv1/PSK Main Mode in Cisco ASA 5510
From: [email protected]
Date: Thu, 27 Sep 2012 08:53:40 -0500
To: [email protected]; [email protected]
I just went through this same problem -- still struggling with routing
but seem to habe the connection.
What's the Cisco config and you ipsec.conf?
Neeraj Sharma <[email protected]> wrote:
I tried doing this a couple of times and did succeed with
configuring a StrongSwan client connecting to a Cisco ASA 5510 in
IKEv1/PSK Main Mode. What works at present is the IKEv1/PSK
Aggressive mode.
I am no Cisco expert, so its possible (pointed by endre that it
works as well over freenode #strongswan) that I am missing a Cisco
ASA config. Any pointers (doc, etc) will be of great help.
Thanks,
Neeraj
------------------------------------------------------------------------
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
_______________________________________________ Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
--
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<div class="moz-signature">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
<link rel="important stylesheet"
href="chrome://messagebody/skin/messageBody.css">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><o:p></o:p><span
style="color: rgb(31, 73, 125);">Edward King<o:p></o:p></span>
<div class="WordSection1">
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">Direct:
(414) 448-1308<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);"><img
style="width: 140px; height: 83px;" id="Picture_x0020_3"
src="file:///home/edk/.icedove/image003.jpg"
alt="cid:[email protected]" height="83"
width="140"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
N27 W23957 Paul Road, Suite 102<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
Pewaukee, WI 53072<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
p: 262-524-9290<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
f: 262-524-1555 <o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
w:<a href="www.cendatsys.com"><span style="color:
blue;">www.cendatsys.com</span></a>
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73,
125);"> Receive
useful computer user tips& tricks<a
href="http://visitor.constantcontact.com/manage/optin/ea?v=001dbhkIZY57-Cz1d4xWGSOcg%3D%3D";><span
style="color: blue;">here</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color: rgb(31, 73, 125);">
</span><o:p></o:p></p>
<p class="MsoNormal"> <a
href="https://www.facebook.com/CenturionDataSystems";><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_4" src="file:///home/edk/.icedove/image004.png"
alt="facebook_0" border="0" height="48"
width="48"></span></a> <a
href="http://www.linkedin.com/company/565923";><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_5" src="file:///home/edk/.icedove/image005.png"
alt="linkedin_0" border="0"></span></a> <a
href="http://twitter.com/cendatsys";><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_6" src="file:///home/edk/.icedove/image006.png"
alt="twitter_0" border="0"></span></a> <a
href="http://centuriondatasystems.wordpress.com/";><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_7" src="file:///home/edk/.icedove/wordpress.png"
alt="wordpress-64px_0" border="0"></span></a> <a
href="http://www.youtube.com/user/CenturionDataSystems";><span
style="color: windowtext; text-decoration: none;"><img
style="border: 0px solid ; width: 48px; height: 48px;"
id="Picture_x0020_8" src="file:///home/edk/.icedove/youtube.png"
alt="youtube_0" border="0"></span></a><o:p></o:p></p>
<p class="MsoNormal"><span style="color: rgb(31, 73,
125);"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
