Issue #1127: IPSEC Tunnel Issue IKEV2 on cisco router and Strongswan on centos - strongSwan

Issue #1127

IPSEC Tunnel Issue IKEV2 on cisco router and Strongswan on centos

Added by hemant gupta almost 10 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

configuration

Affected version:

5.3.2

Resolution:

No feedback

Description

Cisco Router:- WAN- Public IP LAN 192.168.40.0/32------SiteA
Server :- WAN- Public IP LAN 192.168.246.0/32------SiteB

Cisco Router

crypto ikev2 proposal ikev2proposal 
 encryption aes-cbc-128
 integrity sha1
 group 2  
!         
crypto ikev2 policy ike2policy 
 match fvrf any
 proposal ikev2proposal
!         
crypto ikev2 keyring keys
 peer s5-gw-sing
  address SiteB
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !        
!         
!         
crypto ikev2 profile ikev2profile
 match address local interface GigabitEthernet0/0
 match identity remote address SiteB 
 authentication remote pre-share
 authentication local pre-share
 keyring local keys

crypto isakmp policy 1
 authentication pre-share
 group 2  

crypto isakmp key cisco address SiteB   no-xauth

crypto ipsec transform-set TS esp-aes esp-sha-hmac 
 mode tunnel

crypto map cmap 10 ipsec-isakmp 
 set peer SiteB
 set transform-set TS 
 set pfs group2
 set ikev2-profile ikev2profile
 match address AWS_S
!         

interface GigabitEthernet0/0
 ip address SiteA
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map VPN-Client
 duplex auto
 speed auto
 crypto map cmap

p access-list extended AWS_S
 permit ip 192.168.40.0 0.0.0.255 192.168.246.0 0.0.0.255
 permit ip 192.168.40.0 0.0.0.255 10.5.5.0 0.0.0.255

AWS

[root@s5-gw-sing ipsec.d]# cat .conf 
conn cisco

        authby=psk
        type=tunnel
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1     
        right=SiteA
        left=%defaultroute
        leftsubnet=192.168.246.0/24
        leftfirewall=yes
        rightsubnet=192.168.40.0/24
        keyexchange=ikev2
        rightallowany=yes
        ike=aes256-sha1-modp1024, aes128-sha1-modp1024, aes128-sha1-modp1536
        esp=aes256-sha1-modp1024, aes128-sha1-modp1024, aes128-sha1, 3des-md5
        auto=add

# /etc/ipsec.secrets - strongSwan IPsec secrets file

SiteA : PSK "cisco" 
robu.ddns.net : PSK  "N9918412" 
1.178.3.4 192.168.246.110 : PSK "N9918412" 
: RSA /etc/strongswan/ipsec.d/private/vpngw01Key.pem #vpngw01Key.pem

Output:-

initiating IKE_SA hemantg[234] to SiteA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.246.110[500] to 112.196.55.66[500] (1356 bytes)
received packet: from 112.196.55.66[500] to 192.168.246.110[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=pc1.symstream.com" 
sending cert request for "C=AU, OU=RnD, O=Symstream, CN=test-name.rnd.symstream.com" 
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=pc1.symstream.com" 
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=in-gw1.symstream.com" 
sending cert request for "C=AU, O=Symstream, OU=RnD, CN=vpngw01.symstream.com" 
no IDi configured, fall back on IP address
authentication of '192.168.246.110' (myself) with pre-shared key
establishing CHILD_SA hemantg
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (524 bytes)
received packet: from 112.196.55.66[4500] to 192.168.246.110[4500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'hemantg' failed

History

#1 Updated by hemant gupta almost 10 years ago

Getting Error in Tunnel ..
Output:-

initiating IKE_SA hemantg234 to SiteA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.246.110500 to 112.196.55.66500 (1356 bytes)
received packet: from 112.196.55.66500 to 192.168.246.110500 (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=pc1.symstream.com" 
sending cert request for "C=AU, OU=RnD, O=Symstream, CN=test-name.rnd.symstream.com" 
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=pc1.symstream.com" 
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=in-gw1.symstream.com" 
sending cert request for "C=AU, O=Symstream, OU=RnD, CN=vpngw01.symstream.com" 
no IDi configured, fall back on IP address
authentication of '192.168.246.110' (myself) with pre-shared key
establishing CHILD_SA hemantg
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.246.1104500 to 112.196.55.664500 (524 bytes)
received packet: from 112.196.55.664500 to 192.168.246.1104500 (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'hemantg' failed

#2 Updated by Tobias Brunner almost 10 years ago

Description updated (diff)
Status changed from New to Feedback
Assignee deleted (~~Martin Willi~~)
Priority changed from Urgent to Normal

received AUTHENTICATION_FAILED notify error

Check the log on the other end to see why the authentication failed. Wrong PSK?

#3 Updated by hemant gupta almost 10 years ago

Tobias Brunner wrote:

[...]

Check the log on the other end to see why the authentication failed. Wrong PSK?

Now i have getting ..error now

sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (540 bytes)
retransmit 1 of request with message ID 1
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (540 bytes)
retransmit 2 of request with message ID 1
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (540 bytes)
retransmit 3 of request with message ID 1
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (540 bytes)
sending keep alive to 112.196.55.66[4500]
retransmit 4 of request with message ID 1
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (540 bytes)
sending keep alive to 112.196.55.66[4500]
sending keep alive to 112.196.55.66[4500]
retransmit 5 of request with message ID 1
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (540 bytes)
sending keep alive to 112.196.55.66[4500]
sending keep alive to 112.196.55.66[4500]
sending keep alive to 112.196.55.66[4500]

#4 Updated by Tobias Brunner almost 10 years ago

Looks like the other peer is not reachable on UDP port 4500. Make sure it listens on that port and no firewall blocks traffic to it.

#5 Updated by Tobias Brunner almost 10 years ago

Status changed from Feedback to Closed
Assignee set to Tobias Brunner
Resolution set to No feedback

Project

General

Profile

strongSwan

Issues