[Swan] Problem connecting to a Cisco ASA
Paul Wouters
paul at nohats.ca
Wed Mar 10 03:16:26 UTC 2021
On Mon, 8 Mar 2021, Miguel Ponce Antolin wrote:
> I think we are facing issues with the IKE algorithms.
>
> The Cisco peer has the next configuration:
> - pfs group14
> - ikev2 ipsec-proposal AES256-SHA256
> - security-association lifetime seconds 28800
>
> So the libreswan side is configured in the ipsec.d/vpn.conf with similar parameters using the yum repository last version 3.25:
>
> conn vpn
> type=tunnel
> authby=secret
> auto=start
> left=%defaultroute
> leftid=xxx.xxx.xxx.120
> leftsubnets=10.xxx.xxx.xxx/28
> right=xxx.xxx.xxx.45
> rightsubnets=xxx.xxx.xxx.17/32
> leftsourceip=xxx.xxx.xxx.92
> leftnexthop=%defaultroute
> ikev2=insist
> ike=aes256-sha2;dh14
> keyexchange=ike
> ikelifetime=28800s
> salifetime=28800s
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> remote_peer_type=cisco
> aggrmode=yes
> initial-contact=yes
> encapsulation=no
Delete the lines with remote_peer_type, aggrmode, and encapsulation
Try using ike=aes256-sha2_256;dh14
> Mar 8 12:33:25.540325: | selected state microcode Initiator: process AUTHENTICATION_FAILED AUTH notification
It could also be that they are expected a different leftid= then you think?
Despite them claiming pfs, you can try pfs=no as well to see if that
makes a difference.
Paul
More information about the Swan
mailing list