<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 10.00.9200.16798"></HEAD>
<BODY style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hello,</DIV>
<DIV> </DIV>
<DIV>I'm trying to get to grips with Strongswan specifically creating a site to site VPN between Strongswan and a Cisco router or firewall. Although my background is networking I've not much experience with VPNs.</DIV>
<DIV> </DIV>
<DIV>I'm using GNS3 to play with these things in a virtual environment and have been able to create a connection between two linux boxes running Strongswan - it works perfectly. However, when I try to create a connection from Strongswan to the router or the firewall I run into problems. For some reason Strongswan seems to be changing the traffic selector for both these connections as below. I read something about the unity plugin and it seemed to describe something similar to my issue but enabling it doesn't appear to have helped.</DIV>
<DIV> </DIV>
<DIV>Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for us:<BR>Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 10.1.0.0/24<BR>Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for other:<BR>Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 10.2.0.0/24<BR>Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic selectors for other:<BR>Aug 7 12:06:03 A0089-Mint1 charon: 09[CFG] 0.0.0.0/0<BR></DIV>
<DIV>I've pasted my config below and attached a screenshot of my topology. If anyone could offer any advice on where to start I'd be very grateful. Apologies if this is a bit of a newby issue. I really hope it's not something silly.</DIV>
<DIV> </DIV>
<DIV>conn strongswan-router<BR> ikelifetime=60m<BR> keylife=20m<BR> rekeymargin=3m<BR> keyingtries=1<BR> keyexchange=ikev1<BR> ike=aes128-sha1-modp1536!<BR> authby=secret<BR> left=192.168.0.1<BR> leftsubnet=10.1.0.0/24<BR> leftid=192.168.0.1<BR> leftfirewall=yes<BR> right=192.168.1.1<BR> rightsubnet=10.2.0.0/24<BR> rightid=192.168.1.1<BR> auto=start<BR></DIV>
<DIV> </DIV>
<DIV>R2#sh run<BR>version 12.4<BR>!<BR>!<BR><omitted several lines><BR>!<BR>!<BR>crypto isakmp policy 10<BR> encr aes<BR> authentication pre-share<BR> group 5<BR>crypto isakmp key cisco12 address 192.168.0.1<BR>!<BR>!<BR>crypto ipsec transform-set myset esp-aes esp-sha-hmac<BR>!<BR>crypto map mymap 10 ipsec-isakmp<BR> set peer 192.168.0.1<BR> set transform-set myset<BR> match address 100<BR>!<BR>!<BR>!<BR>!<BR>interface FastEthernet0/0<BR> ip address 192.168.1.1 255.255.255.0<BR> speed 100<BR> full-duplex<BR> crypto map mymap<BR>!<BR>interface FastEthernet0/1<BR> ip address 10.2.0.1 255.255.255.0<BR> duplex auto<BR> speed auto<BR>!<BR>ip forward-protocol nd<BR>ip route 192.168.0.0 255.255.255.0 192.168.1.2<BR>!<BR><omitted several lines><BR>!<BR>access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255<BR>!<BR><omitted several lines><BR>!<BR>R2#<BR></DIV>
<DIV> </DIV>
<DIV>A0089-Mint1 etc # ipsec statusall<BR>Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):<BR> uptime: 2 minutes, since Aug 07 12:06:02 2014<BR> malloc: sbrk 1867776, mmap 532480, used 701088, free 1166688<BR> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2<BR> loaded plugins: charon test-vectors curl soup unbound ldap sqlite pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led duplicheck radattr addrblock unity<BR>Listening IP addresses:<BR> 192.168.0.1<BR> 10.1.0.1<BR>Connections:<BR>strongswan-router: 192.168.0.1...192.168.1.1 IKEv1<BR>strongswan-router: local: [192.168.0.1] uses pre-shared key authentication<BR>strongswan-router: remote: [192.168.1.1] uses pre-shared key authentication<BR>strongswan-router: child: 10.1.0.0/24 === 10.2.0.0/24 TUNNEL<BR>Security Associations (1 up, 0 connecting):<BR>strongswan-router[1]: ESTABLISHED 2 minutes ago, 192.168.0.1[192.168.0.1]...192.168.1.1[192.168.1.1]<BR>strongswan-router[1]: IKEv1 SPIs: d2072b8b790bcf8a_i* 0172409d7563a91c_r, pre-shared key reauthentication in 53 minutes<BR>strongswan-router[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536<BR></DIV>
<DIV> </DIV>
<DIV>R2#debug crypto ipsec<BR>Crypto IPSEC debugging is on<BR>R2#<BR>*Mar 1 15:46:58.504: IPSEC(validate_proposal_request): proposal part #1,<BR> (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,<BR> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),<BR> remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),<BR> protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),<BR> lifedur= 0s and 0kb,<BR> spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2<BR>*Mar 1 15:46:58.516: Crypto mapdb : proxy_match<BR> src addr : 0.0.0.0<BR> dst addr : 10.1.0.0<BR> protocol : 0<BR> src port : 0<BR> dst port : 0<BR>*Mar 1 15:46:58.520: Crypto mapdb : proxy_match<BR> src addr : 0.0.0.0<BR> dst addr : 10.1.0.0<BR> protocol : 0<BR> src port : 0<BR> dst port : 0<BR>*Mar 1 15:46:58.528: map_db_find_best did not find matching map<BR>*Mar 1 15:46:58.528: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 192.168.1.1<BR>*Mar 1 15:46:58.528: IPSEC(validate_proposal_request): proposal part #1,<BR> (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,<BR> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),<BR> remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),<BR> protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),<BR> lifedur= 0s and 0kb,<BR> spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2<BR>*Mar 1 15:46:58.532: Crypto mapdb : proxy_match<BR> src addr : 0.0.0.0<BR> dst addr : 10.1.0.0<BR> protocol : 0<BR> src port : 0<BR> dst port : 0<BR>*Mar 1 15:46:58.532: Crypto mapdb : proxy_match<BR> src addr : 0.0.0.0<BR> dst addr : 10.1.0.0<BR> protocol : 0<BR> src port : 0<BR> dst port : 0<BR>*Mar 1 15:46:58.532: map_db_find_best did not find matching map<BR>*Mar 1 15:46:58.532: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 192.168.1.1<BR>*Mar 1 15:46:58.532: IPSEC(validate_proposal_request): proposal part #1,<BR> (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,<BR> local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),<BR> remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),<BR> protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),<BR> lifedur= 0s and 0kb,<BR> spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2<BR>*Mar 1 15:46:58.532: Crypto mapdb : proxy_match<BR> src addr : 0.0.0.0<BR> dst addr : 10.1.0.0<BR> protocol : 0<BR> src port : 0<BR> dst port : 0<BR>*Mar 1 15:46:58.532: Crypto mapdb : proxy_match<BR> src addr : 0.0.0.0<BR> dst addr : 10.1.0.0<BR> protocol : 0<BR> src port : 0<BR> dst port : 0<BR>*Mar 1 15:46:58.532: map_db_find_best did not find matching map<BR>*Mar 1 15:46:58.532: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 192.168.1.1<BR>*Mar 1 15:46:58.540: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 192.168.0.1<BR>R2#<BR></DIV>
<DIV> </DIV><BR>
<div>
<div>
<div>
<font face="Arial" size="2" color="#008000">Please consider the
environment before printing this email</font><font face="Arial" size="2">
</font> </div>
</div>
</div>
<div>
<font face="Arial" size="2">
</font> </div>
<span class="f133 controlstyle" id="F133"><font face="Arial" size="2">*********************************************************************
</font></span><font face="Arial" size="2"><br><span class="f133 controlstyle" id="F133"><br>This
e-mail and any attachments are confidential. If it is not for you, please
inform us and delete it immediately without disclosing, copying, or
distributing it.<br><br>If the content is not about the business of
PayWizard Group PLC or its clients, then it is neither from nor sanctioned
by PayWizard Group PLC. Use of this or any other PayWizard Group PLC
e-mail facility signifies consent to interception by PayWizard Group PLC.
The views expressed in this email or any attachments may not reflect the
views and opinions of PayWizard Group PLC.<br><br>This message has been
scanned for viruses and dangerous content by MailScanner, but PayWizard
Group PLC accepts no liability for any damage caused by the transmission
of any viruses.<br><br>PayWizard Group PLC is a public limited company
registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<br><br>*******************************************************************</span>*</font>
</BODY></HTML>