<div dir="ltr"><div><div>With the assistance of Noel Kuntz (Thermi on #strongswan) and Cisco TAC I've managed to resolve the problem.<br><br></div>The issue was that the Cisco device absolutely required the IPSec tunnel to have the protocol limited to GRE (port 47).<br><br></div><div>The Cisco side of a functional tunnel is seen as follows in sh cry ips <br><br> local ident (addr/mask/prot/port): (x.x.x.x/<a href="http://255.255.255.255/47/0">255.255.255.255/47/0</a>)<br> remote ident (addr/mask/prot/port): (<a href="http://10.2.0.96/255.255.255.255/47/0">10.2.0.96/255.255.255.255/47/0</a>)<br><br></div><div>I had to configured my subnets as follows:<br><br> leftsubnet=%dynamic[47/%any]<br> rightsubnet=%dynamic[47/%any]<br><br></div><div>With this configuration in place I was able to successfully negotiate the tunnel.<br></div><div><br></div>-JohnF<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 19, 2015 at 8:34 PM, Miroslav Svoboda <span dir="ltr"><<a href="mailto:goodmirek@goodmirek.cz" target="_blank">goodmirek@goodmirek.cz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi John,<div><br></div><div>I think it is not possible to use transport mode with local (left) address from private range, not routable over internet, unless the peer is in the same private network.</div><div>I suggest to try a change to <span style="font-family:arial,sans-serif;font-size:12.8000001907349px">"left=%any", "rightsubnet=</span><a href="http://0.0.0.0/0" style="color:rgb(17,85,204);font-family:arial,sans-serif;font-size:12.8000001907349px" target="_blank">0.0.0.0/0</a><span style="font-family:arial,sans-serif;font-size:12.8000001907349px">", "leftsourceip=%config". You should not specify "leftsubnet", it has same effect as "leftsubnet=%dynamic". Also</span> delete "type=transport" or change it to tunnel.</div><div>If that did not help, please can you increase loglevel as described <a href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" target="_blank">here</a> and provide the log?</div><div>Especially emphasized lines in bold below are important, achieved with following settings in strongswan.d/charon-logging.conf:</div><div><div> enc = 1</div><div> job = 1</div><div> cfg = 2</div><div> ike = 4</div><div> mgr = 4</div><div> knl = 2</div></div><div><br></div><div>Also attach output of "ipsec statusall" command.</div><div><br></div><div>Log should look like this, even though this is from VPN server to which roadwarriors are connecting to:</div><div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> IKE_SA roadwarrior[1] state change: CONNECTING => ESTABLISHED</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> scheduling reauthentication in 9746s</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> maximum IKE_SA lifetime 10286s</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> sending end entity cert "C=CZ, O=Aloha, CN=<a href="http://swan.aloha.com" target="_blank">swan.aloha.com</a>"</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> peer requested virtual IP %any</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> assigning new lease to 'C=CZ, O=Aloha, CN=GoodBoy'</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> assigning virtual IP 192.168.55.1 to peer 'C=CZ, O=Aloha, CN=GoodBoy'</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> peer requested virtual IP %any6</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> no virtual IP found for %any6 requested by 'C=CZ, O=Aloha, CN=GoodBoy'</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> building INTERNAL_IP4_DNS attribute</div><div>2015-04-18 21:40:28 10[IKE] <roadwarrior|1> building INTERNAL_IP4_DNS attribute</div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> looking for a child config for <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> ::/0 === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> ::/0</b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposing traffic selectors for us:</b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposing traffic selectors for other:</b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a></b></div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> candidate "roadwarrior" with prio 10+2</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> found matching child config "roadwarrior" with prio 12</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> no acceptable ENCRYPTION_ALGORITHM found</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> no acceptable INTEGRITY_ALGORITHM found</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> no acceptable ENCRYPTION_ALGORITHM found</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposal matches</div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> received proposals: ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ</div><div>@ </div><div>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ</div><div>2015-04-18 21:40:28 10[KNL] <roadwarrior|1> got SPI cff90361</div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting traffic selectors for us:</b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> config: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>, received: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> => match: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> config: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a>, received: ::/0 => no match</b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting traffic selectors for other:</b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> config: <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a>, received: <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> => match: <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a></b></div><div><b>2015-04-18 21:40:28 10[CFG] <roadwarrior|1> config: <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a>, received: ::/0 => no match</b></div><div>2015-04-18 21:40:28 10[KNL] <roadwarrior|1> adding SAD entry with SPI cff90361 and reqid {1} (mark 0/0x00000000)</div><div>2015-04-18 21:40:28 10[KNL] <roadwarrior|1> using encryption algorithm AES_CBC with key size 128</div><div>2015-04-18 21:40:28 10[KNL] <roadwarrior|1> using integrity algorithm HMAC_SHA1_96 with key size 160</div><div>2015-04-18 21:40:28 10[KNL] <roadwarrior|1> using replay window of 32 packets</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding SAD entry with SPI a2210fbc and reqid {1} (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using encryption algorithm AES_CBC with key size 128</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using integrity algorithm HMAC_SHA1_96 with key size 160</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using replay window of 32 packets</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> out (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> in (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> fwd (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in traffic selector <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to reach <a href="http://176.74.128.37/32" target="_blank">176.74.128.37/32</a></div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface eth0</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> installing route: <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> via 10.20.30.1 src %any dev eth0</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting iface index for eth0</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> out (mark 0/0x00000000) already exists, increasing refcount</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> out (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> in (mark 0/0x00000000) already exists, increasing refcount</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> in (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> fwd (mark 0/0x00000000) already exists, increasing refcount</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> fwd (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in traffic selector <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to reach <a href="http://176.74.128.37/32" target="_blank">176.74.128.37/32</a></div><div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface eth0</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> installing route: <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> via 10.20.30.1 src %any dev eth0</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting iface index for eth0</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> out (mark 0/0x00000000) already exists, increasing refcount</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> out (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> in (mark 0/0x00000000) already exists, increasing refcount</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> in (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> fwd (mark 0/0x00000000) already exists, increasing refcount</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a> === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> fwd (mark 0/0x00000000)</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in traffic selector <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any</div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to reach <a href="http://176.74.128.37/32" target="_blank">176.74.128.37/32</a></div><div>2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface eth0</div><div>2015-04-18 21:40:29 10[IKE] <roadwarrior|1> CHILD_SA roadwarrior{1} established with SPIs cff90361_i a2210fbc_o and TS <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> === <a href="http://192.168.55.1/32" target="_blank">192.168.55.1/32</a></div><div>2015-04-18 21:40:29 10[ENC] <roadwarrior|1> generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]</div><div>2015-04-18 21:40:29 10[NET] <roadwarrior|1> sending packet: from 10.20.30.40[4500] to 176.74.128.37[37370] (1612 bytes)</div><div>2015-04-18 21:40:29 10[MGR] <roadwarrior|1> checkin IKE_SA roadwarrior[1]</div><div>2015-04-18 21:40:29 10[MGR] <roadwarrior|1> check-in of IKE_SA successful.</div></div><div><br></div><div>Regards,</div><div>Miroslav</div><div><div class="h5"><div><br></div>On Saturday, April 18, 2015 at 2:57:02 PM UTC+2, John Marrett wrote:<blockquote class="gmail_quote" style="margin:0;margin-left:0.8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>I'm trying to build a gre tunnel / transport based IPSec VPN between a Cisco IOS router and a device running strongswan on openwrt. I successfully negotiate phase 1 but then fail to negotiate phase 2.<br><br>The Cisco device indicates proxy identities are not supported, which would suggest that the IPSec session is being negotiated with the wrong IP addresses. Here are the log messages from the Cisco device:<br><br>.Apr 18 08:26:03.870: ISAKMP:(13414):Checking IPSec proposal 0<br>.Apr 18 08:26:03.870: ISAKMP: transform 1, ESP_AES <br>.Apr 18 08:26:03.870: ISAKMP: attributes in transform:<br>.Apr 18 08:26:03.870: ISAKMP: key length is 128<br>.Apr 18 08:26:03.870: ISAKMP: authenticator is HMAC-SHA512<br>.Apr 18 08:26:03.870: ISAKMP: encaps is 2 (Transport)<br>.Apr 18 08:26:03.870: ISAKMP: SA life type in seconds<br>.Apr 18 08:26:03.870: ISAKMP: SA life duration (basic) of 3600<br>.Apr 18 08:26:03.870: ISAKMP:(13414):atts are acceptable.<br>.Apr 18 08:26:03.870: IPSEC(ipsec_process_proposal): proxy identities not supported<br>.Apr 18 08:26:03.870: ISAKMP:(13414): IPSec policy invalidated proposal with error 32<br>.Apr 18 08:26:03.870: ISAKMP:(13414): phase 2 SA policy not acceptable! (local x.x.x.x remote 10.2.0.29)<br><br></div>And here is the configuration for strongswan. I had originally omitted the subnet definitions but I added them to ensure that the correct subnets were specified.<br><br>conn host-host<br> left=10.2.0.29<br> leftid=10.2.0.29<br> leftsubnet=<a href="http://10.2.0.29/32" rel="nofollow" target="_blank">10.2.0.29/32</a><br> right=x.x.x.x<br> rightid=x.x.x.x<br> rightsubnet=x.x.x.x/32<br> type=transport<br> auto=start<br> keyexchange=ikev1<br> ike=aes128-sha256-modp4096!<br> esp=aes128-sha512!<br> authby=secret<br><div><br></div><div>I am running strongswan 5.2.2 on Openwrt. The Cisco router is running a dev special release of 15.3(3)M3.2.<br><br></div><div>Thank you in advance for your help,<br><br></div><div>-JohnF<br></div></div>
</blockquote></div></div></div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div>