IKEv2 - Strongswan to Cisco
Hi
I am attempting to setup an IKEv2 SA between Strongswan (Ubuntu 12.04 LTS VM) and a Cisco router (1900 vers 15.1)
I have managed to set up a tunnel between 2 Strongswan VMs back to back.
When I attempt an SA to cisco, it appears to successfully complete the IKE_SA_INIT, but then cisco reports:
"Failed to decrypt an encrypted packet"
If anyone has any ideas as to where it is going wrong that would be great
Strongswan:
conn strongswan-01-cisco
left=30.10.1.130
leftsubnet=10.2.0.0/16
right=30.10.1.51
rightsubnet=10.4.0.0/16
auto=add
Cisco:
aaa new-model
aaa authorization network MYLOCAL local
aaa session-id common
!
crypto pki token default removal timeout 0
crypto pki certificate map CERTMAP 10
subject-name co strongswan
!
crypto ikev2 name-mangler MANGLER
dn organization-unit
!
crypto ikev2 authorization policy STRONGSWAN
pool pool.strongswan
netmask 255.255.0.0
subnet-acl 199
!
crypto ikev2 proposal proposal1
encryption aes-cbc-128
integrity sha256
group 24
!
crypto ikev2 policy STRONGSWAN
proposal proposal1
!
crypto ikev2 profile STRONGSWAN
match certificate CERTMAP
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
aaa authorization group MYLOCAL name-mangler MANGLER
aaa accounting psk password
!
crypto ikev2 cookie-challenge 500
!
crypto logging ikev2
!
crypto dynamic-map STRONGSWAN 100
set ikev2-profile STRONGSWAN
reverse-route
!
crypto map STATIC 20000 ipsec-isakmp dynamic STRONGSWAN
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 30.10.1.51 255.255.255.0
duplex auto
speed auto
crypto map STATIC
|