[Swan] ASA 5550 Connection Help
Paul Connolly
paulconnolly75 at gmail.com
Sun Apr 29 18:18:57 UTC 2018
I have to create an IPSec tunnel from amazon to an ASA 5500. Below is the
info I was provided on the ASA config:
Support Key Exchanged for Subnets: ON
IKE Encryption Method: AES256 SHA
IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit)
IKE (Phase-1) Timeout: 1440 Min
IPSEC Encryption Method: AES256 SHA
IPSEC (Phase-2) Timeout: 3600 Sec
PFS (Perfect Forward Secrecy): Disabled
Keepalive: Disabled
I setup libreswan on a centos 7 ec2 instance. This is what I have for
Libreswan connection config:
conn ipsec
type=tunnel
authby=secret
remote_peer_type=cisco
initial-contact=yes
rekey=yes
pfs=no
ikelifetime=1440m
salifetime=60m
ike=aes256-sha1;dh2
phase2alg=aes256-sha1;modp1024
aggrmode=no
I've successfully created a tunnel to another libreswan instance in a
separate aws vpn and can pass traffic but when I point to the ASA, I don't
seem to be even getting past the IKE phase. based on this ipsec status:
000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate
1: pending Phase 2 for "ipsec" replacing #0
I know the preshared key is correct but I'm at a loss. For starters, do I
at least have the correct libreswan config based the ASA config?
I'm banging my head against the wall here and am willing to pay if someone
knowledgeable can give some direction.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20180429/d11e11d0/attachment.html>
More information about the Swan
mailing list