I got it working just after disabling “leftauth=pubkey” in the “conn cisco” section, although it works with 4.6.4.
Many thanks! Regards! Quine 2012-6-22 From: [email protected] Sent: Sunday, June 22, 2014 00:07 To: [email protected] Subject: cisco vpn client failed to connect to my strongswan vpn server Dear All, I’ve installed strongswan 4.6.4 (both pluto and charon enabled) on my server (debian 6.0.8) and it works well with cisco vpn client 5.0.07.0410 on WinXP (also with ios, android and win7). Recently I upgraded to 5.1.3 and it works too with ios, android and win7 except for cisco vpn client. Follows the compiling configuration: ./configure --prefix=/usr --sysconfdir=/etc --disable-gmp --enable-unity --enable-openssl --enable-md4 --enable-xauth-eap --enable-xauth-pam --enable-eap-mschapv2 --enable-eap-aka --enable-eap-aka-3gpp2 --enable-eap-gtc --enable-eap-identity --enable-eap-md5 --enable-eap-peap --enable-eap-radius --enable-eap-sim --enable-eap-sim-file --enable-eap-sim-pcsc --enable-eap-simaka-pseudonym --enable-eap-simaka-reauth --enable-eap-simaka-sql --enable-eap-tls --enable-eap-tnc --enable-eap-ttls --enable-tools /etc/ipsec.conf: config setup #nat_traversal=yes uniqueids=yes charondebug="ike 2, mgr 2, net 2, enc 2" # this line doesn’t work? crlcheckinterval=10m strictcrlpolicy=no ca vpnca cacert=caCert.pem crluri=crl.pem auto=add conn %default auto=add left=%defaultroute leftsubnet=0.0.0.0/0 right=%any conn ios keyexchange=ikev1 authby=xauthpsk xauth=server #leftfirewall=yes rightsubnet=10.11.0.0/24 rightsourceip=10.11.0.0/24 #dpddelay=30s #dpdtimeout=120s #dpdaction=clear conn win7&android keyexchange=ikev2 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no leftauth=pubkey leftcert=serverCert.pem leftid="C=CH, O=strongSwan, CN=x.x.x.x" rightsourceip=10.11.1.0/24 rightauth=eap-mschapv2 rightsendcert=never eap_identity=%any conn cisco keyexchange=ikev1 ike=aes256-sha1-modp1024! esp=aes256-sha1! dpdaction=clear dpddelay=300s rekey=no leftauth=pubkey leftcert=serverCert.pem leftid="C=CH, O=strongSwan, CN=x.x.x.x" rightsourceip=10.11.2.0/24 ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 #type=tunnel authby=xauthrsasig xauth=server #pfs=no When I try to connect to server with cisco vpn client it returns the error “412: The remote peer is no longer responding” and the following logs: 1 23:47:53.418 06/20/14 Sev=Info/4 CERT/0x63600015 Cert (cn=client,o=strongSwan,c=CH) verification succeeded. 2 23:47:53.433 06/20/14 Sev=Info/4 CM/0x63100002 Begin connection process 3 23:47:53.449 06/20/14 Sev=Info/4 CM/0x63100004 Establish secure connection 4 23:47:53.449 06/20/14 Sev=Info/4 CM/0x63100024 Attempt connection with server "x.x.x.x" 5 23:47:53.449 06/20/14 Sev=Info/4 IKE/0x63000001 Starting IKE Phase 1 Negotiation 6 23:47:53.465 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to x.x.x.x 7 23:47:53.543 06/20/14 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T)) from x.x.x.x 8 23:47:53.543 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to x.x.x.x 9 23:47:53.574 06/20/14 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, NAT-D, NAT-D) from x.x.x.x 10 23:47:53.605 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to x.x.x.x 11 23:47:53.621 06/20/14 Sev=Info/4 IKE/0x63000084 Out of Order Packet Processing - Queuing a packet (Informational) received out of order 12 23:47:58.887 06/20/14 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 13 23:47:58.887 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x 14 23:48:03.887 06/20/14 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 15 23:48:03.887 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x 16 23:48:08.887 06/20/14 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 17 23:48:08.887 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(Retransmission) to x.x.x.x 18 23:48:13.887 06/20/14 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=8B242615179718BE R_Cookie=1BD7EDD3CABC3E02) reason = DEL_REASON_PEER_NOT_RESPONDING 19 23:48:13.887 06/20/14 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to x.x.x.x 20 23:48:14.402 06/20/14 Sev=Info/4 IKE/0x6300004B Discarding IKE SA negotiation (I_Cookie=8B242615179718BE R_Cookie=1BD7EDD3CABC3E02) reason = DEL_REASON_PEER_NOT_RESPONDING 21 23:48:14.402 06/20/14 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "x.x.x.x" because of "DEL_REASON_PEER_NOT_RESPONDING" 22 23:48:14.418 06/20/14 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection /var/log/auth.log: ... Jun 21 11:50:45 debian6 charon: 14[ENC] parsed ID_PROT request 0 [ ID CERT CERTREQ SIG N(INITIAL_CONTACT) ] Jun 21 11:50:45 debian6 charon: 14[IKE] received cert request for 'C=CH, O=strongSwan, CN=strongSwan CA' Jun 21 11:50:45 debian6 charon: 14[IKE] received end entity cert "C=CH, O=strongSwan, CN=client" Jun 21 11:50:45 debian6 charon: 14[IKE] no peer config found Jun 21 11:50:45 debian6 charon: 14[IKE] queueing INFORMATIONAL task Jun 21 11:50:45 debian6 charon: 14[IKE] activating new tasks Jun 21 11:50:45 debian6 charon: 14[IKE] activating INFORMATIONAL task Jun 21 11:50:45 debian6 charon: 14[ENC] added payload of type NOTIFY_V1 to message Jun 21 11:50:45 debian6 charon: 14[ENC] added payload of type NOTIFY_V1 to message Jun 21 11:50:45 debian6 charon: 14[ENC] generating INFORMATIONAL_V1 request 2841545593 [ HASH N(AUTH_FAILED) ] Jun 21 11:50:45 debian6 charon: 14[ENC] insert payload HASH_V1 into encrypted payload Jun 21 11:50:45 debian6 charon: 14[ENC] insert payload NOTIFY_V1 into encrypted payload Jun 21 11:50:45 debian6 charon: 14[ENC] generating payload of type HEADER Jun 21 11:50:45 debian6 charon: 14[ENC] generating rule 0 IKE_SPI Jun 21 11:50:45 debian6 charon: 14[ENC] generating rule 1 IKE_SPI ... Any recommendations would be really appreciated. Thanks in adv. B. Regards! Quine 2014-6-21
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
