email Hello,
I'm trying to connect route-based IPSec VPN to Cisco device (ISR) and i'm getting some errors. Configured everything as written in ROUTE-BASED-VPN page. But i'm especially not sure about ipsec.conf configuration as it's not included in that page. >From cisco side i see these errors: Feb 21 16:15:09.292: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 39.107.111.111 the strongSwan (centos) box says this: Feb 22 00:59:17 localhost charon: 14[NET] received packet: from 37.157.222.222[500] to 10.67.0.24[500] (164 bytes) Feb 22 00:59:17 localhost charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V ] Feb 22 00:59:17 localhost charon: 14[IKE] received NAT-T (RFC 3947) vendor ID Feb 22 00:59:17 localhost charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID Feb 22 00:59:17 localhost charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID Feb 22 00:59:17 localhost charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Feb 22 00:59:17 localhost charon: 14[IKE] 37.157.222.222 is initiating a Main Mode IKE_SA Feb 22 00:59:17 localhost charon: 14[ENC] generating ID_PROT response 0 [ SA V V V ] Feb 22 00:59:17 localhost charon: 14[NET] sending packet: from 10.67.0.24[500] to 37.157.222.222[500] (136 bytes) Feb 22 00:59:17 localhost charon: 09[NET] received packet: from 37.157.222.222[500] to 10.67.0.24[500] (284 bytes) Feb 22 00:59:17 localhost charon: 09[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ] Feb 22 00:59:17 localhost charon: 09[IKE] received DPD vendor ID Feb 22 00:59:17 localhost charon: 09[ENC] received unknown vendor ID: 2a:76:9d:f8:39:bf:5d:8a:06:25:60:0f:25:2c:99:36 Feb 22 00:59:17 localhost charon: 09[IKE] received XAuth vendor ID Feb 22 00:59:17 localhost charon: 09[IKE] local host is behind NAT, sending keep alives Feb 22 00:59:17 localhost charon: 09[IKE] no shared key found for '39.107.111.111'[10.67.0.24] - '37.157.222.222'[37.157.222.222] Feb 22 00:59:17 localhost charon: 09[IKE] no shared key found for 10.67.0.24 - 37.157.222.222 Feb 22 00:59:17 localhost charon: 09[ENC] generating INFORMATIONAL_V1 request 3620154422 [ N(INVAL_KE) ] Feb 22 00:59:17 localhost charon: 09[NET] sending packet: from 10.67.0.24[500] to 37.157.222.222[500] (56 bytes) the configuration is as follows: route based part: 1) ip tunnel add vti266 local 10.130.11.218 remote 10.130.11.217 mode vti key 66 2) ip link set vti266 up 3) sysctl -w net.ipv4.conf.vti266.disable_policy=1 4) ip route add 10.0.0.0/8 dev vti266 5) /etc/strongswan/strongswan.d/charon.conf <> install_routes = no 6) /etc/strongswan/swanctl/swanctl.conf <> local_ts = 0.0.0.0/0 remote_ts = 0.0.0.0/0 7) /etc/strongswan/swanctl/swanctl.conf <> mark_in = 66 mark_out = 66 ipsec part: ipsec.conf: conn %default ikelifetime=1800m rekeymargin=3m keyingtries=%forever keyexchange=ikev1 authby=psk dpdaction=restart dpddelay=30 conn remote-site left=%defaultroute leftsubnet=10.0.0.0/8 leftid=39.107.111.111 leftfirewall=yes right=%any rightsubnet=0.0.0.0/0 rightid=37.157.222.222 auto=start ike=aes128-sha1-modp1536 esp=aes128-sha1 [root@iZ2zegipf37wcfbz6wafz0Z ~]# cat /etc/strongswan/ipsec.secrets # ipsec.secrets - strongSwan IPsec secrets file 39.107.111.111 37.157.222.222 : PSK "key_to_alibaba66!@" Cisco part is here: crypto isakmp policy 10 encr aes authentication pre-share group 2 lifetime 1800 crypto isakmp key key_to_alibaba66!@ address 39.107.111.111 crypto isakmp keepalive 10 10 crypto ipsec security-association replay window-size 128 crypto ipsec transform-set ALIBABA_AES_SHA_TRANSFORM_SET esp-aes esp-sha-hmac mode tunnel $ crypto ipsec df-bit clear ! crypto ipsec profile ALIBABA_AES_SHA_IPSEC_PROFILE set transform-set ALIBABA_AES_SHA_TRANSFORM_SET set pfs group2 interface Tunnel266 description ITXRTRO1-Alibaba_test ip address 10.130.11.217 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source ip 37.157.222.222 tunnel destination 39.107.111.111 tunnel path-mtu-discovery tunnel protection ipsec profile ALIBABA_AES_SHA_IPSEC_PROFILE what could be wrong ? thank you for any input
