Hi, Yes, I do had a similar problem, the solution is creating a crypto-map on the cisco config compliant with linux IPSEC standard. There are lots of tutorials explaining it on the net. I would have sent some sample lines but do not have it available right now.
Best Regards, 2013/12/5 Sergio Samayoa <[email protected]> > Hi. > > I have a problem connecting from Strongswan 5.1.1 to Cisco ASA 5520: > > In the Cisco (B) side there are a acl list controlling to which hosts > Strong Swang (A) side can access. > > This is the Cisco configuration: > > tunnel-group X.X.X.X type ipsec-l2l > tunnel-group X.X.X.X ipsec-attributes > pre-shared-key ****** > > crypto map Tunel 170 match address PREDICTIBILIDAD > crypto map Tunel 170 set peer X.X.X.X > crypto map Tunel 170 set transform-set TEMM10 > crypto map Tunel 170 set pfs group2 > > access-list PREDICTIBILIDAD extended permit ip host 10.225.230.212 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.225.207.77 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.225.240.20 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.2.81.168 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.216.15.145 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.216.15.201 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.216.15.210 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.216.15.135 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.2.81.187 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.225.173.177 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.225.136.9 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.225.173.178 host > 172.255.255.78 > access-list PREDICTIBILIDAD extended permit ip host 10.15.122.237 host > 172.255.255.78 > > Strong Swan config: > > conn TELEFONICAMX > ikelifetime=28800s > keylife=20m > rekeymargin=3m > keyexchange=ikev1 > authby=secret > ike=3des-md5-modp1024 > esp=3des-md5-modp1024 > left=X.X.X.X > leftid=X.X.X.X > leftfirewall=yes > right=Y.Y.Y.Y > rightid=Y.Y.Y.Y > auto=add > rightsubnet=10.225.230.212,10.225.207.77,10.225.240.20,10.2.81.168,10.216.15.145,10.216.15.201,10.216.15.210,10.216.15.135,10.2.81.187,10.225.173.177,10.225.136.9,10.225.173.178,10.15.122.237 > > Strong Swan was compiled with unity enabled. > > When I try up the connection I got this: > > root@vpn-tmmx:/usr/local/etc# ipsec up TELEFONICAMX > initiating Main Mode IKE_SA TELEFONICAMX[2] to Y.Y.Y.Y > generating ID_PROT request 0 [ SA V V V V ] > sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (184 bytes) > received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (104 bytes) > parsed ID_PROT response 0 [ SA V ] > received FRAGMENTATION vendor ID > generating ID_PROT request 0 [ KE No ] > sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (196 bytes) > received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (256 bytes) > parsed ID_PROT response 0 [ KE No V V V V ] > received Cisco Unity vendor ID > received XAuth vendor ID > received unknown vendor ID: 5f:03:43:5c:a7:b9:51:2d:a5:40:d3:91:67:d0:7a:7c > received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00 > generating ID_PROT request 0 [ ID HASH ] > sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (68 bytes) > received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (84 bytes) > parsed ID_PROT response 0 [ ID HASH V ] > received DPD vendor ID > IKE_SA TELEFONICAMX[2] established between > X.X.X.X[X.X.X.X]...Y.Y.Y.Y[Y.Y.Y.Y] > scheduling reauthentication in 28564s > maximum IKE_SA lifetime 28744s > generating QUICK_MODE request 812470083 [ HASH SA No KE ID ID ] > sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (300 bytes) > received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (348 bytes) > parsed INFORMATIONAL_V1 request 2160602061 [ HASH N(INVAL_ID) ] > received INVALID_ID_INFORMATION error notify > establishing connection 'TELEFONICAMX' failed > > Phase 1 is completed but Cisco side drops the connection. > This are the Cisco log entries: > > Dec 4 21:09:28 [X] Dec 04 2013 22:16:54: %ASA-4-113019: Group = X.X.X.X, > Username = X.X.X.X, IP = X.X.X.X, Session disconnected. Session Type: IKE, > Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: crypto map policy > not found > Dec 4 21:09:27 [] Dec 04 2013 22:16:54: %ASA-6-113009: AAA retrieved > default group policy (DfltGrpPolicy) for user = X.X.X.X > Dec 4 21:09:27 [1] Dec 04 2013 22:16:54: %ASA-5-713119: Group = > 200.35.187.146, IP = X.X.X.X, PHASE 1 COMPLETED > Dec 4 21:09:28 [] Dec 04 2013 22:16:54: %ASA-3-713061: Group = X.X.X.X, > IP = X.X.X.X, Rejecting IPSec tunnel: no matching crypto map entry for > remote proxy 172.255.255.78/255.255.255.255/0/0 local proxy > 0.0.0.0/0.0.0.0/0/0 on interface outside > > Shouldn't Strong Swan send the rightsunet to Cisco to match the crypto > policy? > > Someone faced a similar problem? > > BTW we can't change Cisco side. > > Regards. > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > -- Gomes do Vale Victor Ingénieur Systèmes, Réseaux et Securité
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
