[Swan] Issue connecting between Cisco 2811 and Ubuntu 14.04 - worked with strongswan

Charles Wyble charles at turnsys.com
Mon May 30 15:23:14 UTC 2016 

Hi all,

I've recently switched to libreswan (for VTI support). I can't get the IPSEC tunnel to connect.

Here are the log snippets and configuration, please let me know if anything else is needed.

1.   May 30 15:14:24: "satx" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=68
2.   May 30 15:14:24: | ISAKMP Notification Payload
3.   May 30 15:14:24: |   00 00 00 44  00 00 00 01  01 00 00 0e
4.   May 30 15:14:24: "satx" #1: received and ignored informational message
5.
6.   May 30 15:14:56: "satx" #2: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
7.   May 30 15:14:56: "satx" #2: responding to Main Mode
8.   May 30 15:14:56: "satx" #2: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP4096] refused
9.   May 30 15:14:56: "satx" #2: no acceptable Oakley Transform
10. May 30 15:14:56: "satx" #2: sending notification NO_PROPOSAL_CHOSEN to <peerip>:500
11. May 30 15:14:56: "satx" #2: deleting state #2 (STATE_MAIN_R0)
12.
13.

Cisco config:
14. crypto isakmp policy 10
15.  encr aes
16.  authentication pre-share
17.  group 16
18. crypto isakmp key <secret> address <peerip>
19. crypto isakmp keepalive 20 periodic
20.
21. crypto ipsec transform-set TS esp-aes esp-sha-hmac
22. !
23. crypto ipsec profile VTI
24.  set transform-set TS
25. !
26. !
27. crypto map cmap 10 ipsec-isakmp
28.  set peer <peerip>
29.  set transform-set TS
30.  match address cryptoacl
31.

32. Libreswan config:

33. # Connection to rack at JUAF-SAT01
34. conn    satx
35.         left=158.69.183.161        #ovh outside ip
36.         leftsubnet=10.253.0.0/16  #ovh network
37.         leftid=158.69.183.161    #ikeid of ovh side
38.         right=38.103.217.178                 #IOS outside address
39.         rightsubnet=10.40.170.0/24        #network behind IOS
40.         rightid=10.40.170.22             #IKEID sent by IOS
41.         ike=aes128-md5-modp1536           #P1: modp1536 = DH group 5
42.         esp=aes128-sha1
43.         type=tunnel
44.         authby=secret
45.         auth=esp
46.         keyexchange=ike
47.         ikev2=no
48.         keyingtries=2
49.         disablearrivalcheck=no
50.         remote_peer_type=cisco
51.         pfs=no

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160530/867a3c68/attachment-0001.html>

More information about the Swan mailing list