-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Otto,
Did you try to talk to the ASA on port 500 instead of port 4500 already? Regards Noel Kuntze Am 04.03.2014 14:26, schrieb Otto Bretz: > Hello, > > I’m having problems getting a tunnel going to a client with a cisco router. > This is my first time using strongSwan so I’m probably missing something > obvious. I’m running debian wheezy on google compute engine. I’ve verified > that I can talk to another machine on the net with UDP on port 500. The > people running the cisco router says that they see no connection attempt from > my external ip (192.158.A.B). > > Any help is much appreciated. > > cheers, > Otto > > ipsec.conf: > config setup > charonstart=no > plutostart=yes > plutodebug=control > plutostderrlog=/var/log/pluto.log > > conn myconn > authby=psk > auto=add > dpdaction=hold > esp=aes192-sha1! > forceencaps=yes > ike=aes256-sha1-modp1024! > keyexchange=ikev1 > mobike=no > type=tunnel > pfs=yes > pfsgroup=modp1024 > left=192.158.A.B > leftid=192.158.A.B > leftsubnet=10.240.0.0/16 > leftauth=psk > leftikeport=4500 > right=194.17.X.Y > rightsubnet=192.168.1.0/24 > rightauth=psk > rightikeport=4500 > > ipsec.secrets: > 192.158.A.B 194.17.X.Y : PSK “mekmitasdigoat" > > ipsec statusall: > 000 Status of IKEv1 pluto daemon (strongSwan 4.5.2): > 000 interface lo/lo 127.0.0.1:500 > 000 interface eth0/eth0 10.240.12.197:500 > 000 interface eth0:0/eth0:0 192.158.A.B:500 > 000 %myid = '%any' > 000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 > pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve > 000 debug options: control > 000 > 000 "myconn": > 10.240.0.0/16===192.158.A.B[192.158.A.B]…194.17.X.Y[194.17.X.Y]===192.168.1.0/24; > unrouted; eroute owner: #0 > 000 "myconn": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; > rekey_fuzz: 100%; keyingtries: 3 > 000 "myconn": dpd_action: hold; dpd_delay: 30s; dpd_timeout: 150s; > 000 "myconn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 16,24; interface: > eth0:0; > 000 "myconn": newest ISAKMP SA: #0; newest IPsec SA: #0; > 000 > > pluto.log: > Starting IKEv1 pluto daemon (strongSwan 4.5.2) THREADS SMARTCARD VENDORID > listening on interfaces: > eth0 > 10.240.12.197 > 192.158.A.B > loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 > pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve > | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds > including NAT-Traversal patch (Version 0.6c) [disabled] > | pkcs11 module '/usr/lib/opensc-pkcs11.so' loading... > failed to load pkcs11 module '/usr/lib/opensc-pkcs11.so' > loading ca certificates from '/etc/ipsec.d/cacerts' > loading aa certificates from '/etc/ipsec.d/aacerts' > loading ocsp certificates from '/etc/ipsec.d/ocspcerts' > Changing to directory '/etc/ipsec.d/crls' > loading attribute certificates from '/etc/ipsec.d/acerts' > spawning 4 worker threads > | inserting event EVENT_LOG_DAILY, timeout in 48567 seconds > | next event EVENT_REINIT_SECRET in 3600 seconds > | > | *received whack message > listening for IKE messages > | found lo with address 127.0.0.1 > | found eth0 with address 10.240.12.197 > | found eth0:0 with address 192.158.A.B > adding interface eth0:0/eth0:0 192.158.A.B:500 > adding interface eth0/eth0 10.240.12.197:500 > adding interface lo/lo 127.0.0.1:500 > loading secrets from "/etc/ipsec.secrets" > loaded PSK secret for 192.158.A.B 194.17.X.Y > | next event EVENT_REINIT_SECRET in 3600 seconds > | > | *received whack message > | from whack: got --esp=aes192-sha1!;modp1024 > | esp proposal: AES_CBC_192/HMAC_SHA1, ; pfsgroup=MODP_1024; strict > | from whack: got --ike=aes256-sha1-modp1024! > | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict > added connection description "myconn" > | > 10.240.0.0/16===192.158.A.B[192.158.A.B]…194.17.X.Y[194.17.X.Y]===192.168.1.0/24 > | ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; > keyingtries: 3; policy: PSK+ENCRYPT+TUNNEL+PFS > | next event EVENT_REINIT_SECRET in 3600 seconds > | > | *received whack message > | creating state object #1 at 0x7f9db83236a0 > | ICOOKIE: 25 17 5f 2b 9c c3 ee da > | RCOOKIE: 00 00 00 00 00 00 00 00 > | peer: c2 11 27 72 > | state hash entry 25 > | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 > | Queuing pending Quick Mode with 194.17.X.Y "myconn" > "myconn" #1: initiating Main Mode > | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict > | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 > | next event EVENT_RETRANSMIT in 10 seconds for #1 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3572 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1 > | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #1 > | next event EVENT_RETRANSMIT in 20 seconds for #1 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3552 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1 > | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #1 > | next event EVENT_RETRANSMIT in 40 seconds for #1 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3512 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #1 > "myconn" #1: max number of retransmissions (2) reached STATE_MAIN_I1. No > response (or no acceptable response) to our first IKE message > "myconn" #1: starting keying attempt 2 of at most 3, but releasing whack > | creating state object #2 at 0x7f9db8324760 > | ICOOKIE: a2 ea 87 15 7c 25 01 21 > | RCOOKIE: 00 00 00 00 00 00 00 00 > | peer: c2 11 27 72 > | state hash entry 7 > | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2 > "myconn" #2: initiating Main Mode to replace #1 > | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict > | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2 > | ICOOKIE: 25 17 5f 2b 9c c3 ee da > | RCOOKIE: 00 00 00 00 00 00 00 00 > | peer: c2 11 27 72 > | state hash entry 25 > | next event EVENT_RETRANSMIT in 10 seconds for #2 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3502 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2 > | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #2 > | next event EVENT_RETRANSMIT in 20 seconds for #2 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3482 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2 > | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #2 > | next event EVENT_RETRANSMIT in 40 seconds for #2 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3442 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #2 > "myconn" #2: max number of retransmissions (2) reached STATE_MAIN_I1. No > response (or no acceptable response) to our first IKE message > "myconn" #2: starting keying attempt 3 of at most 3 > | creating state object #3 at 0x7f9db83236a0 > | ICOOKIE: df 88 f6 30 a3 f5 72 1a > | RCOOKIE: 00 00 00 00 00 00 00 00 > | peer: c2 11 27 72 > | state hash entry 5 > | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3 > "myconn" #3: initiating Main Mode to replace #2 > | ike proposal: AES_CBC_256/HMAC_SHA1/MODP_1024, strict > | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3 > | ICOOKIE: a2 ea 87 15 7c 25 01 21 > | RCOOKIE: 00 00 00 00 00 00 00 00 > | peer: c2 11 27 72 > | state hash entry 7 > | next event EVENT_RETRANSMIT in 10 seconds for #3 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3432 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3 > | inserting event EVENT_RETRANSMIT, timeout in 20 seconds for #3 > | next event EVENT_RETRANSMIT in 20 seconds for #3 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3412 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3 > | inserting event EVENT_RETRANSMIT, timeout in 40 seconds for #3 > | next event EVENT_RETRANSMIT in 40 seconds for #3 > | > | *time to handle event > | event after this is EVENT_REINIT_SECRET in 3372 seconds > | handling event EVENT_RETRANSMIT for 194.17.X.Y "myconn" #3 > "myconn" #3: max number of retransmissions (2) reached STATE_MAIN_I1. No > response (or no acceptable response) to our first IKE message > | ICOOKIE: df 88 f6 30 a3 f5 72 1a > | RCOOKIE: 00 00 00 00 00 00 00 00 > | peer: c2 11 27 72 > | state hash entry 5 > | next event EVENT_REINIT_SECRET in 3372 seconds > | > | *time to handle event > | event after this is EVENT_LOG_DAILY in 44967 seconds > | event EVENT_REINIT_SECRET handled > | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds > | next event EVENT_REINIT_SECRET in 3600 seconds > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTFdy8AAoJEDg5KY9j7GZYBakP/RKkPv8cO2NCmTPBbDdBCDqQ 44zwPKBqy6MlaGv4buBJS+cUchBxiiGa/7QM1o/OvWyf1SZi4j12NKj0ZWiQD4K2 KICdSROm3+PwGg255y2pgW6O01Su+PSvOnzaCjXyEt4ryov8yrx85NppO2T70qjL n8qSxvIaK+/SEMMvn3GsLALkBEnmZBk7uv1IQ2Q0TfC9Sl1/d8FGfWMiMGajBkyK 2+JWycLuqcKJxS0fw5khXFC85sD+eU2D965tuFnVr4SvoXYWTxye+9OxJAo5HPxz TKwLZpiuIEg7xHe2A7OCBxi2jsUY7Qus0V5bYMgAs6bjUNybQsdac0Dc+ugo45zk FTaRgCsDcelcF7QpTM4vh5Y9WUMHG7RWOrvMm50OmR7oy79Ym8+8fZsO7y4Ky5df wB0AjXU1GU43Ioq+WJL5bQPBbIXq74MXJRrZgHpXRlVkaexIx0fDW6VgdN76U8PL xb92MxiFl2wGQg3XB+KMbGcIwrGiN9KrVqKYpFrLRf+zoyi/733ZaMITLLmAEc8/ f8OyLOxSGU+/Tq/9tzsBalLmU/6ym8bRn67jqDfNK8LA++uiV03kR2DQSU5bdWuI Bp/UhgYSZ7+JG5XwyAgfLn0lu+Jqq5OD7gFZt5089ALLDxcCZSPVp7mEkpxrDKfY yw5hr2sRT8XqMm98H77C =z8kF -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
