I'm trying to connect to a Cisco ASA 5520. I have been provided credentials :
Phase1
VPN IP address (Public IP) | XXX.XXX.XXX.XXX
Authentication Method | Pre-Shared Secret
Encryption Schema | IKE
Perfect Forward Secrecy- IKE | DH Group-2
Encryption Algorithm | 3DES
Hashing Algorithm | SHA-1
Renegotiate IKE SA every | 86400 Sec
Phase2
IPSec | ESP
Perfect Forward Secrecy-IPSEC | NO PFS
Encryption Algorithm IPSec | 3DES
Hashing Algorithm IPSec | SHA-1
Renegotiate IPSec SA every | 3600 Sec
Private Network | 192.168.XXX.XXX/32
On my side, I compiled and installed Libreswan (3.27) on a DigitalOcean droplet, with the public IP : YYY.YYY.YYY.YYY and a private IP: 10.YYY.YYY.YYY/32. I tried to implement the IPSec VPN with this config:
conn the_vpn
ike=3des-sha1;modp1024,aes128-sha1;modp1024
auto=start
authby=secret
keyexchange=ike
phase2=esp
phase2alg=3des-sha1
left=XXX.XXX.XXX.XXX
leftsubnet=192.168.XXX.XXX/32
right=YYY.YYY.YYY.YYY
rightsubnet=10.YYY.YYY.YYY/32
ikelifetime=3600
type=tunnel
ikev2=never
And I did allow udp on port 500 and 4500 in my server (Ubuntu 16.04). I also wrote down the secrekey in /etc/ipsec.secrets. But through the logs; it seems that the handshake is initialized by the CISCO, but my side has this error:
packet from XXX.XXX.XXX.XXX:500 : initial Main Mode message received on YYY.YYY.YYY.YYY:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
My question are these:
1) does Libreswan still allow IKEV1 with shared PSK and DH 2 group or it has been deprecated and removed ?
2) does my configurations reflect the other side ? Because, as usual, It's me who has to conform to their setup, they can't change anything.
Thank you.
