I have done quite a bit of searching and playing around and I am still stuck with this issue. Trying to see if I can get some help here. Thanks in advance. I have posted this to StackOverFlow so the link is here.
http://stackoverflow.com/questions/42212151/moving-from-openswan-to-strongswan-authentication-failed-notify-error I am converting a site from OpenSWAN to StrongSWAN. My Peer is a Cisco ASA device, not sure of the model etc. The tunnel was up and running fine between OpenSWAN and Cisco. We want to move to StrongSWAN (another story why we are moving). I removed OpenSWAN and installed StrongSWAN (on Ubuntu) was super easy. converted the ipsec.conf to StrongSWAN requirements. When I start the tunnel i get "received AUTHENTICATION_FAILED notify error" error. Same parameters worked for OpenSWAN so Ii thought this should be an easy move. I dont have access to the Cisco ASA as it is our partners. I have opened a ticket with them to help me but that ticket is in the queue. Was wondering if anybody can shed some light on this problem. root@ip-10-0-0-33:/home/deploy# ipsec up Baptist initiating IKE_SA Baptist[1652] to 50.xx.xx.xx generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.0.0.33[500] to 50.xx.xx.xx[500] (1000 bytes) received packet: from 50.xx.xx.xx[500] to 10.0.0.33[500] (38 bytes) parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] peer didn't accept DH group MODP_1024, it requested ECP_521 initiating IKE_SA Baptist[1652] to 50.xx.xx.xx generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.0.0.33[500] to 50.xx.xx.xx[500] (1004 bytes) received packet: from 50.xx.xx.xx[500] to 10.0.0.33[500] (506 bytes) parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ V ] local host is behind NAT, sending keep alives received 2 cert requests for an unknown ca authentication of '52.34.130.137' (myself) with pre-shared key establishing CHILD_SA Baptist generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ] sending packet: from 10.0.0.33[4500] to 50.xx.xx.xx[4500] (576 bytes) received packet: from 50.xx.xx.xx[4500] to 10.0.0.33[4500] (96 bytes) parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] received AUTHENTICATION_FAILED notify error establishing connection 'Baptist' failed Here is my config file config setup strictcrlpolicy=no charondebug=all conn %default left=%any ikelifetime=86400s keylife=28800s authby=secret keyexchange=ike conn Baptist left=10.0.0.33 leftsourceip=10.0.0.33 leftid=52.XX.XX.XX leftsubnet=10.0.0.33/32 eap_identity=52.XX.XX.XX right=50.YY.YY.YY rightsubnet=10.17.10.66/32,10.13.210.2/32 auto=start ike=aes256-sha1-mod1024 esp=aes256-sha1-mod1024 dpddelay=30s dpdtimeout=120s dpdaction=restart *EDIT*: My original OpenSWAN config file is below. BTW: I tried ike1, ike2 with StrongSWAN with same effect. conn Baptist type=tunnel authby=secret auto=start forceencaps=yes left=%defaultroute leftid=52.XX.XX.XX #leftsourceip=10.1.200.19 #leftsourceip=52.XX.XX.XX leftsourceip=10.0.0.33 leftsubnets={10.0.0.33/32} right=50.YY.YY.YY rightid=50.YY.YY.YY rightsubnets=10.17.10.66/32,10.13.210.2/32 ikelifetime=86400s keylife=28800s keyexchange=ike ike=aes256-sha1;modp1024 phase2=esp phase2alg=aes256-sha1 pfs=no dpddelay=30 dpdtimeout=120 dpdaction=restart -maqbool
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
