[Swan] Issue connecting between Cisco 2811 and Ubuntu 14.04 - worked with strongswan
Charles Wyble
charles at turnsys.com
Mon May 30 15:23:14 UTC 2016
Hi all,
I've recently switched to libreswan (for VTI support). I can't get the IPSEC tunnel to connect.
Here are the log snippets and configuration, please let me know if anything else is needed.
1. May 30 15:14:24: "satx" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=68
2. May 30 15:14:24: | ISAKMP Notification Payload
3. May 30 15:14:24: | 00 00 00 44 00 00 00 01 01 00 00 0e
4. May 30 15:14:24: "satx" #1: received and ignored informational message
5.
6. May 30 15:14:56: "satx" #2: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
7. May 30 15:14:56: "satx" #2: responding to Main Mode
8. May 30 15:14:56: "satx" #2: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP4096] refused
9. May 30 15:14:56: "satx" #2: no acceptable Oakley Transform
10. May 30 15:14:56: "satx" #2: sending notification NO_PROPOSAL_CHOSEN to <peerip>:500
11. May 30 15:14:56: "satx" #2: deleting state #2 (STATE_MAIN_R0)
12.
13.
Cisco config:
14. crypto isakmp policy 10
15. encr aes
16. authentication pre-share
17. group 16
18. crypto isakmp key <secret> address <peerip>
19. crypto isakmp keepalive 20 periodic
20.
21. crypto ipsec transform-set TS esp-aes esp-sha-hmac
22. !
23. crypto ipsec profile VTI
24. set transform-set TS
25. !
26. !
27. crypto map cmap 10 ipsec-isakmp
28. set peer <peerip>
29. set transform-set TS
30. match address cryptoacl
31.
32. Libreswan config:
33. # Connection to rack at JUAF-SAT01
34. conn satx
35. left=158.69.183.161 #ovh outside ip
36. leftsubnet=10.253.0.0/16 #ovh network
37. leftid=158.69.183.161 #ikeid of ovh side
38. right=38.103.217.178 #IOS outside address
39. rightsubnet=10.40.170.0/24 #network behind IOS
40. rightid=10.40.170.22 #IKEID sent by IOS
41. ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5
42. esp=aes128-sha1
43. type=tunnel
44. authby=secret
45. auth=esp
46. keyexchange=ike
47. ikev2=no
48. keyingtries=2
49. disablearrivalcheck=no
50. remote_peer_type=cisco
51. pfs=no
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160530/867a3c68/attachment-0001.html>
More information about the Swan
mailing list