Site to Site VPN with ASA and Strongswan will not auto connect

(Doug R) #1

ASA 5506-X Connecting to Ubuntu 14.04 ikev1 (PSK). When I would connect to a webserver on Strongswan side from the ASA side the ASA would establish connection. That is not happening anymore and I am not sure why. I am going to move to certificate based once I fix this issue. I do not see anything on the ASA to tell it to initiate the connection.

Strongswan IPSec.conf
======================
conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn haafasa
        left=142.93.xxx.yyy                     #strongswan outside address
        leftsubnet=10.xxx.yyy.zzz          #network behind strongswan
        leftid=142.93.xxx.yyy                  #IKEID sent by strongswan
        #leftfirewall=yes
        right=72.209.xxx.yyy             #IOS outside address
        rightsubnet=192.168.20.0/24        #network behind IOS
        rightid=72.209.xxx.yyy             #IKEID sent by IOS
        auto=add
        ike=aes-sha1-modp1024           #P1: modp1536 = DH group 5
        esp=aes-sha1
1 Like
(Doug R) #2

I finally figured it out.

Crypto Map Entry (IPSec Site-to-Site connection profile
Static Crypto Map Entry Parameters
Device Certificate (Selected certificate selected from my certificate based testing)
Deselected the Certificate and now is initiates the connection.

1 Like