Project

General

Profile

Actions

Bug #4178

closed

IPsec leftsubnet changed to 0.0.0.0 with Cisco unity plugin active

Added by Chris Buechler almost 10 years ago. Updated almost 9 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
01/05/2015
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2.x
Affected Architecture:

Description

Under some circumstance we haven't exactly narrowed down yet, having the Cisco unity plugin enabled in strongswan causes it to replace its leftsubnet traffic selector value with 0.0.0.0/0, breaking negotiation. It's not universal to all VPNs to ASAs, but is replicable in a number of circumstances.

strongswan ends up logging the following:

Dec 29 23:08:20 fw01 charon: 13[IKE] <con22000|230> received INVALID_ID_INFORMATION error notify

With the following being logged by the ASA.

Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 1.2.3.4/255.255.255.255/0/0 on interface outside

Bug Ermal thinks relevant to at least some degree.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718289

Actions

Also available in: Atom PDF