Hi
I try to connect strongSwan U4.2.11 with Cisco ASA 8.0.(3). I have problem with stability of that link. I sometimes lose connection after 10-20 min, sometimes more often. The link die and i must restart whole ipsec on both sides. I try various options but i cannot set proper configuration. When the link is dead on my SWAN ipsec status show me that ISAKMP and IPSEC are established but Cisco show me that only isakmp is established. I'm not sure that my cisco conf is correct to work with stongswan. Thx for help or some clue
regards Ted
It's my architecture:
LAN:10.10.10.0/24 +
30.30.30/24---SWAN=192.68.1.1/30===192.168.1.2/30=Cisco---50.50.50.0/24My cisco conf:
access-list e01 extended permit ip 50.50.50.0 255.255.255.0 10.10.10.0
255.255.255.0access-list e02 extended permit ip 50.50.50.0 255.255.255 30.30.30.0
255.255.255.0crypto ipsec transform-set e01 esp-3des esp-sha-hmac crypto ipsec transform-set e02 esp-3des esp-sha-hmac
crypto map outside_map 40 match address e01 crypto map outside_map 40 set peer 192.168.1.1 crypto map outside_map 40 set transform-set erwin01_w_wawie crypto map outside_map 40 set security-association lifetime seconds 86400 crypto map outside_map 50 match address e02 crypto map outside_map 50 set peer 192.168.1.1 crypto map outside_map 50 set transform-set erwin01 crypto map outside_map 50 set security-association lifetime seconds 86400
crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800
vpn-idle-timeout none vpn-session-timeout none
tunnel-group 192.168.1.1 type ipsec-l2l tunnel-group 192.168.1.1 general-attributes default-group-policy LAN2LAN tunnel-group 192.168.1.1 ipsec-attributes pre-shared-key * isakmp keepalive threshold 20 retry 2
logs from cisco:
a lot of:
Error: Unable to remove PeerTblEntry Error processing payload: Payload ID: 1 Removing peer from peer table failed, no match!
it's my Swan conf config setup interfaces=%defaultroute plutodebug=control crlcheckinterval=180 strictcrlpolicy=no nat_traversal=yes uniqueids=yes conn %default type=tunnel authby=secret ikelifetime=28800 keylife=86400 keyingtries=5 auto=start keyexchange=ike pfs=no auth=esp esp=3des-sha1 #dpdaction=hold #dpddelay=60 #dpdtimeout=500
conn e01-cisco_vpn_asa left=192.168.1.1 leftsubnet=10.10.10.0/24 leftnexthop=192.168.1.2 leftsourceip=10.10.10.1 right=192.168.1.2 rightsubnet=50.50.50.0/24 rightnexthop=192.168.1.1
conn e02-cisco_vpn_asa left=192.168.1.1 leftsubnet=30.30.30.0/24 leftnexthop=192.168.1.2 right=192.168.1.2 rightsubnet=50.50.50.0/24 rightnexthop=192.168.1.1
ipsec statusall
000 %myid = (none) 000 debug control 000 000 "e01-cisco_vpn_asa": erouted; eroute owner: #3 000 "e01-cisco_vpn_asa": ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 "e01-cisco_vpn_asa": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 24,26; interface: eth1; 000 "e01-cisco_vpn_asa": newest ISAKMP SA: #0; newest IPsec SA: #3; 000 "e01-cisco_vpn_asa": IKE algorithms wanted: 7_128-2-14, 000 "e01-cisco_vpn_asa": IKE algorithms found: 7_128-2_160-14, 000 "e01-cisco_vpn_asa": ESP algorithms wanted: 3_000-2, 000 "e01-cisco_vpn_asa": ESP algorithms loaded: 3_192-2_160, 000 "e01-cisco_vpn_asa": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 "e02-cisco_vpn_asa": erouted; eroute owner: #4 000 "e02-cisco_vpn_asa": ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5 000 "e02-cisco_vpn_asa": policy: PSK+ENCRYPT+TUNNEL+UP; prio: 26,26; interface: eth1; 000 "e02-cisco_vpn_asa": newest ISAKMP SA: #2; newest IPsec SA: #4; 000 "e02-cisco_vpn_asa": IKE algorithms wanted: 7_128-2-14, 000 "e02-cisco_vpn_asa": IKE algorithms found: 7_128-2_160-14, 000 "e02-cisco_vpn_asa": IKE algorithm newest: 3DES_CBC_192-SHA-MODP1024 000 "e02-cisco_vpn_asa": ESP algorithms wanted: 3_000-2, 000 "e02-cisco_vpn_asa": ESP algorithms loaded: 3_192-2_160, 000 "e02-cisco_vpn_asa": ESP algorithm newest: 3DES_0-HMAC_SHA1; pfsgroup= 000 000 #3: "e01-cisco_vpn_asa" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 84315s; newest IPSEC; eroute owner 000 #3: "e01-cisco_vpn_asa" esp.a96f310f@192.168.1.2 esp.2b6f7bc5@192.168.1.1; tunnel 000 #4: "e02-cisco_vpn_asa" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 84315s; newest IPSEC; eroute owner 000 #4: "e02-cisco_vpn_asa" esp.d0c44a83@217.74.64.182 esp.dc38acab@192.168.1.1; tunnel 000 #2: "e02-cisco_vpn_asa" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 26714s; newest ISAKMP 000 Performance: uptime: 30 minutes, since Jan 24 22:07:07 2009 worker threads: 10 idle of 16, job queue load: 1, scheduled events: 0 loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown Listening IP addresses: 192.168.1.1 Connections: Security Associations: none