<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi George,</p>
<p>I don't remember exactly Cisco's commands to configure
encryption, but it seems you config misses encryption settings for
IKE negotiation. Your config on Cisco side should looks like the
following:</p>
<p>! This is IKE encryption<br>
crypto isakmp policy 10<br>
encryption ...<br>
hash ...<br>
group ...<br>
...<br>
! This is ESP encryption<br>
crypto ipsec transform-set myset ...<br>
!<br>
crypto ipsec profile myprofile<br>
...<br>
set transform-set myset<br>
!<br>
int tun151<br>
...<br>
tunnel protection ipsec profile myprofile</p>
<p>and IKE encryption (isakmp policy) must match "ike" parameter in
connection definition, while ESP encryption (ipsec transform-set)
must match "esp" parameter.</p>
<p>Hope this'll help.<br>
</p>
<div class="moz-cite-prefix">On 14.01.2021 22:38, george live wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CANKhjqO2-5b6-DWORqv3-uH=jhg6iBL6V06_FPKw=TStcagfog@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div>Hi all,</div>
<div>I am using strongswan version 5.3 on aws cloud and trying
to set ipsec with a ciscoasr in customer site. It is not a
complex scenario but the logs are telling me that strongswan
is saying 'no proposals chosen'. <br>
</div>
<div><br>
</div>
<div>It is a ikev1, aes256, sha1 and df group 2.</div>
<div><br>
</div>
<div>Below are the configs:</div>
<div><br>
</div>
<div>Strongswan</div>
<div>=========</div>
<div>config setup<br>
charondebug="ike 1, knl 0, cfg 0"<br>
conn BRKTUNEL <br>
authby=secret<br>
auto=route<br>
dpddelay=10<br>
dpdtimeout=30<br>
dpdaction=restart<br>
esp=aes256-sha-modp1024<br>
ike=aes256-sha-modp1024<br>
ikelifetime=86400s<br>
lifetime=1h<br>
keyexchange=ikev1<br>
keyingtries=%forever<br>
rekey=yes<br>
forceencaps=yes<br>
# Specifics<br>
left=2.2.2.2 # Local private ip<br>
leftsubnet=%dynamic[gre] # Local VPC Subnet<br>
leftid=2.2.2.2<br>
leftfirewall=yes<br>
rightfirewall=no<br>
right=1.1.1.1 # Remote Tunnel IP<br>
rightid=%any<br>
rightsubnet=%dynamic[gre] # Remote VPC Subnet<br>
type=tunnel</div>
<div><br>
</div>
<div>Customer ASR config</div>
<div>================</div>
<div>crypto isakmp profile abcd<br>
description Default profile<br>
vrf 10<br>
keyring cust_key<br>
match identity address 2.2.2.2<br>
keepalive 10 retry 2<br>
local-address 1.1.1.1 <br>
!<br>
crypto keyring cust_key vrf 10<br>
description Key ring for vrf 10 peers<br>
local-address customer_ip vrf<br>
pre-shared-key address 2.2.2.2 key xxxxxxxxx<br>
!<br>
crypto ipsec transform-set cust1-xform esp-aes 256
esp-sha-hmac<br>
mode tunnel<br>
!<br>
crypto ipsec profile ipsec<br>
set transform-set cust1-xform<br>
set pfs group2<br>
set isakmp-profile abcd<br>
!<br>
interface Tunnel151<br>
description AWS <br>
vrf forwarding 10<br>
ip address 169.254.128.1 255.255.255.252<br>
ip tcp adjust-mss 1379<br>
tunnel source 1.1.1.1<br>
tunnel destination 2.2.2.2<br>
tunnel vrf 10<br>
tunnel protection ipsec profile ipsec<br>
ip virtual-reassembly</div>
<div><br>
</div>
<div>The debug logs says 'no IKE config found for
1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN'</div>
<div><br>
</div>
<div>Any help is appreciated.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>George<br>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison</pre>
</body>
</html>