Issue #3074
Updated by Tobias Brunner over 6 years ago
Hi,
Googled this to death and have been going through the Wiki but cannot find an answer. Have a working VPN between Cisco ASA and Swanctl. However once the tunnel has timed out they only way to get it back (or to start in the first place) is to restart (start) it manually.
Error when not working.
<pre>
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[IKE] no IKE config found for 192.168.210.4...194.70.246.245, sending NO_PROPOSAL_CHOSEN
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[NET] sending packet: from 192.168.210.4[500] to 194.70.246.245[500] (36 bytes)
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 14[NET] received packet: from 194.70.246.245[500] to 192.168.210.4[500] (870 bytes)
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V
</pre>
To bring it up from the Swanctl end:
swanctl -q
swanctl -i -c net-net
I've tried dpd_actions and the commands which don't work for strongswan such as auto=start
Here is my code.
<pre>
include conf.d/*.conf
include /etc/strongswan/*.conf
connections {
a2a {
local_addrs = 192.168.210.4
remote_addrs = 194.70.246.245
local {
auth = psk
id = 192.168.210.4
}
remote {
auth = psk
id = 194.70.246.245
}
children {
net-net {
local_ts = 192.168.210.0/24
remote_ts = 10.1.0.0/16
start_action = trap
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
#start_action = trap
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
dpd_action = restart
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
}
}
secrets {
#ike-secret {
ike-a2a {
id = 192.168.210.4
</pre>
I've also been playing with strongswan.conf as I've see references to that
<pre>
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
}
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
pools = /usr/local/sbin/swanctl --load-pools
}
filelog {
/var/log/charon.log {
flush_line = yes
}
</pre>
Any help greatly appreciated.....as I've run out of ideas.........
thanks
alex
Googled this to death and have been going through the Wiki but cannot find an answer. Have a working VPN between Cisco ASA and Swanctl. However once the tunnel has timed out they only way to get it back (or to start in the first place) is to restart (start) it manually.
Error when not working.
<pre>
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[IKE] no IKE config found for 192.168.210.4...194.70.246.245, sending NO_PROPOSAL_CHOSEN
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 12[NET] sending packet: from 192.168.210.4[500] to 194.70.246.245[500] (36 bytes)
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 14[NET] received packet: from 194.70.246.245[500] to 192.168.210.4[500] (870 bytes)
May 29 07:30:41 swanctl-vpn-aj ipsec[1086]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) V
</pre>
To bring it up from the Swanctl end:
swanctl -q
swanctl -i -c net-net
I've tried dpd_actions and the commands which don't work for strongswan such as auto=start
Here is my code.
<pre>
include conf.d/*.conf
include /etc/strongswan/*.conf
connections {
a2a {
local_addrs = 192.168.210.4
remote_addrs = 194.70.246.245
local {
auth = psk
id = 192.168.210.4
}
remote {
auth = psk
id = 194.70.246.245
}
children {
net-net {
local_ts = 192.168.210.0/24
remote_ts = 10.1.0.0/16
start_action = trap
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
#start_action = trap
esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default
dpd_action = restart
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default
}
}
secrets {
#ike-secret {
ike-a2a {
id = 192.168.210.4
</pre>
I've also been playing with strongswan.conf as I've see references to that
<pre>
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon-systemd {
load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
}
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
pools = /usr/local/sbin/swanctl --load-pools
}
filelog {
/var/log/charon.log {
flush_line = yes
}
</pre>
Any help greatly appreciated.....as I've run out of ideas.........
thanks
alex