<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Baskerville;
panose-1:2 2 5 2 7 4 1 2 3 3;}
@font-face
{font-family:"Times New Roman \(Body CS\)";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Baskerville",serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:7561829;
mso-list-type:hybrid;
mso-list-template-ids:457081566 134807569 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1
{mso-list-id:258832853;
mso-list-type:hybrid;
mso-list-template-ids:-272605950 134807569 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l1:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l1:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l2
{mso-list-id:1717773587;
mso-list-template-ids:-474592204;}
@list l2:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:72.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style>
</head>
<body lang="EN-IN" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">[Correction]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Hi George,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Sorry, I made a blunder in the earlier respone…I mixed up IPsec TS_UNACCEPTABLE with IKE proposals.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">I just checked, and the debug ouput you posted is in-fact originating because of the IKE proposal mismatch.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Basically, Cisco uses default ISAKMP profiles under the hood unless the user explicitly configures an ISAKMP policy (in which case the system default is then overriden
with user configured policy).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">So, in your case, there does not seem to a user configured ISAKMP policy, due to which the system default is being used and the same is not matching with the IKE config
on StrongSwan. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">What default policies are configured by the system on the ASR depends on the software version. So you can check this with ‘show crypto isakmp default policy’.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Either way, DH group 2 and AES have been long considered unsafe and are probably not configured as a system default, so you will have to configure an ISAKMP policy
with these settings explicitly.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">In a nutshell:<o:p></o:p></span></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo4"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">change the config parameters on StrongSwan side to match system defaults of the ASR<o:p></o:p></span></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l1 level1 lfo4"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Or, explicity configure a policy on ASR to match the StrongSwan setting like this example:<o:p></o:p></span></li></ol>
<p class="MsoNormal" style="text-indent:36.0pt"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">crypto isakmp policy 1<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> encryption aes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> authentication pre-share<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> group 2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">With this change your IKE SA should come up. I am guessing CHILD_SA will also come up with your exsiting config, if not you can try the suggestion I had given in the
earlier mail for that. <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif">Mohit<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Users <users-bounces@lists.strongswan.org> on behalf of "MOHIT CHALLA (mochalla)" <mochalla@cisco.com><br>
<b>Date: </b>Monday, 18 January 2021 at 9:05 PM<br>
<b>To: </b>Volodymyr Litovka <doka.ua@gmx.com>, george live <georgelive2020@gmail.com>, "users@lists.strongswan.org" <users@lists.strongswan.org><br>
<b>Subject: </b>Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Hi George,
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">I am not 100% sure what is causing the issue, but there are a couple of things which I notice.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps
on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">So you can try either of this:</span><o:p></o:p></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0
on StrongSwan</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo3"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Leave the ASR config as it is and configure on StrongSwan:</span><o:p></o:p></li><ol style="margin-top:0cm" start="1" type="a">
<li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level2 lfo3"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">leftprotoport=gre</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level2 lfo3"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">leftsubnet=0.0.0.0/0</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level2 lfo3"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">rightprotoport=gre</span><o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level2 lfo3"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">rightsubnet=0.0.0.0/0</span><o:p></o:p></li></ol>
</ol>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US">Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif">Thanks,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif">Mohit</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-family:"Baskerville",serif;mso-fareast-language:EN-US"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Users <users-bounces@lists.strongswan.org> on behalf of Volodymyr Litovka <doka.ua@gmx.com><br>
<b>Date: </b>Monday, 18 January 2021 at 5:15 PM<br>
<b>To: </b>george live <georgelive2020@gmail.com>, "users@lists.strongswan.org" <users@lists.strongswan.org><br>
<b>Subject: </b>Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p>Hi George,<o:p></o:p></p>
<p>I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following:<o:p></o:p></p>
<p>! This is IKE encryption<br>
crypto isakmp policy 10<br>
encryption ...<br>
hash ...<br>
group ...<br>
...<br>
! This is ESP encryption<br>
crypto ipsec transform-set myset ...<br>
!<br>
crypto ipsec profile myprofile<br>
...<br>
set transform-set myset<br>
!<br>
int tun151<br>
...<br>
tunnel protection ipsec profile myprofile<o:p></o:p></p>
<p>and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter.<o:p></o:p></p>
<p>Hope this'll help.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 14.01.2021 22:38, george live wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Hi all,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'.
<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">It is a ikev1, aes256, sha1 and df group 2.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Below are the configs:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Strongswan<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">=========<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">config setup<br>
charondebug="ike 1, knl 0, cfg 0"<br>
conn BRKTUNEL <br>
authby=secret<br>
auto=route<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=restart<br>
esp=aes256-sha-modp1024<br>
ike=aes256-sha-modp1024<br>
ikelifetime=86400s<br>
lifetime=1h<br>
keyexchange=ikev1<br>
keyingtries=%forever<br>
rekey=yes<br>
forceencaps=yes<br>
# Specifics<br>
left=2.2.2.2 # Local private ip<br>
leftsubnet=%dynamic[gre] # Local VPC Subnet<br>
leftid=2.2.2.2<br>
leftfirewall=yes<br>
rightfirewall=no<br>
right=1.1.1.1 # Remote Tunnel IP<br>
rightid=%any<br>
rightsubnet=%dynamic[gre] # Remote VPC Subnet<br>
type=tunnel<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Customer ASR config<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">================<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">crypto isakmp profile abcd<br>
description Default profile<br>
vrf 10<br>
keyring cust_key<br>
match identity address 2.2.2.2<br>
keepalive 10 retry 2<br>
local-address 1.1.1.1 <br>
!<br>
crypto keyring cust_key vrf 10<br>
description Key ring for vrf 10 peers<br>
local-address customer_ip vrf<br>
pre-shared-key address 2.2.2.2 key xxxxxxxxx<br>
!<br>
crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac<br>
mode tunnel<br>
!<br>
crypto ipsec profile ipsec<br>
set transform-set cust1-xform<br>
set pfs group2<br>
set isakmp-profile abcd<br>
!<br>
interface Tunnel151<br>
description AWS <br>
vrf forwarding 10<br>
ip address 169.254.128.1 255.255.255.252<br>
ip tcp adjust-mss 1379<br>
tunnel source 1.1.1.1<br>
tunnel destination 2.2.2.2<br>
tunnel vrf 10<br>
tunnel protection ipsec profile ipsec<br>
ip virtual-reassembly<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN'<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Any help is appreciated.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">George<o:p></o:p></p>
</div>
</div>
</blockquote>
<pre>--<o:p></o:p></pre>
<pre>Volodymyr Litovka<o:p></o:p></pre>
<pre> "Vision without Execution is Hallucination." -- Thomas Edison<o:p></o:p></pre>
</div>
</body>
</html>