I
I
Ivan2019-01-27 09:39:34
linux
Ivan, 2019-01-27 09:39:34

Why won't ipsec ubuntu-cisco connect?

ipsec between ubuntu and cisco
communication goes through psk, which is in
94.97.1.132 : PSK KEY
/etc/ipsec.secrets ipsec config on ubuntu:

config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no

conn Jump-to-STC

authby=psk
right=159.203.38.79
rightid=159.203.38.79

left=94.97.1.132
leftid=94.97.1.132

leftsubnet=100.64.0.0/16
rightsubnet=172.17.0.0/24

ike=aes256,aes256-sha,aes256-sha1-modp2048-prfsha1,aes256-sha-modp1536-prfsha256,aes128-sha1-modp1536,aes265-sha2_256,aes256-sha2_256-modp1024,aes256-sha-modp1024
esp=aes256-sha,aes256-sha2_256,aes256-sha-modз1536,aes256-sha-prfsha256,aes128-sha1
keyexchange=ikev1
keyexchange=ikev2
rekeymargin=3m
ikelifetime=24h
lifetime=6h
dpddelay=30
dpdtimeout=120
dpdaction=restart
auto=start

I raise the connection:
sudo ipsec up Jump-to-STC
initiating IKE_SA Jump-to-STC[5] to 94.97.1.132
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 159.203.38.79[500] to 94.97.1.132[500] (1316 bytes)
received packet: from 94.97.1.132[500] to 159.203.38.79[500] (38 bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group MODP_2048, it requested MODP_1536
initiating IKE_SA Jump-to-STC[5] to 94.97.1.132
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 159.203.38.79[500] to 94.97.1.132[500] (1252 bytes)
received packet: from 94.97.1.132[500] to 159.203.38.79[500] (521 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP) V ]
authentication of '159.203.38.79' (myself) with pre-shared key
establishing CHILD_SA Jump-to-STC
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 159.203.38.79[4500] to 94.97.1.132[4500] (492 bytes)
retransmit 1 of request with message ID 1
sending packet: from 159.203.38.79[4500] to 94.97.1.132[4500] (492 bytes)

Initial data on cisco
5c4d5133d51e8092709599.jpeg
iptables:
hain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  172.17.0.0/16        0.0.0.0/0
MASQUERADE  all  --  172.17.0.0/24        0.0.0.0/0

Why is there no connection?

Answer the question

In order to leave comments, you need to log in

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question