I’m configuring a strongSwan server (x.x.168.87) for a third-party service to connect their Cisco ASA 5525 using PSK auth. Phase one appears to succeed from the gateway/peer (x.x.122.4) but phase two fails when they run a traceroute from the client (x.x.120.3) to our gateway server. The logs mention “expected a virtual IP request, sending FAILED_CP_REQUIRED” and say the “traffic selectors [are] unacceptable”. Is strongSwan misconfigured or is the cisco client failing to request an ip? Does strongSwan require that I manually create a virtual IP tunnel? The virtual IP pool appears to be available.

I’m configuring a strongSwan server (x.x.168.87) for a third-party service to connect their Cisco ASA 5525 using PSK auth. Phase one appears to succeed from the gateway/peer (x.x.122.4) but phase two fails when they run a traceroute from the client (x.x.120.3) to our gateway server. The logs mention “expected a virtual IP request, sending FAILED_CP_REQUIRED” and say the “traffic selectors [are] unacceptable”. Is strongSwan misconfigured or is the cisco client failing to request an ip? Does strongSwan require that I manually create a virtual IP tunnel? The virtual IP pool appears to be available.