[strongSwan] Site-Site VPN issues with Cisco Devices

Tormod Macleod TMacleod at paywizard.com
Thu Aug 7 13:14:11 CEST 2014


Hello,
 
I'm trying to get to grips with Strongswan specifically creating a site to site VPN between Strongswan and a Cisco router or firewall. Although my background is networking I've not much experience with VPNs.
 
I'm using GNS3 to play with these things in a virtual environment and have been able to create a connection between two linux boxes running Strongswan - it works perfectly. However, when I try to create a connection from Strongswan to the router or the firewall I run into problems. For some reason Strongswan seems to be changing the traffic selector for both these connections as below. I read something about the unity plugin and it seemed to describe something similar to my issue but enabling it doesn't appear to have helped.
 
Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for us:
Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  10.1.0.0/24
Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for other:
Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  10.2.0.0/24
Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic selectors for other:
Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  0.0.0.0/0
I've pasted my config below and attached a screenshot of my topology. If anyone could offer any advice on where to start I'd be very grateful. Apologies if this is a bit of a newby issue. I really hope it's not something silly.
 
conn strongswan-router
	    ikelifetime=60m
	    keylife=20m
	    rekeymargin=3m
	    keyingtries=1
	    keyexchange=ikev1
	    ike=aes128-sha1-modp1536!
	    authby=secret
	    left=192.168.0.1
	    leftsubnet=10.1.0.0/24
	    leftid=192.168.0.1
	    leftfirewall=yes
	    right=192.168.1.1
	    rightsubnet=10.2.0.0/24
	    rightid=192.168.1.1
	    auto=start
 
R2#sh run
version 12.4
!
!
<omitted several lines>
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key cisco12 address 192.168.0.1
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 10 ipsec-isakmp
 set peer 192.168.0.1
 set transform-set myset
 match address 100
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 speed 100
 full-duplex
 crypto map mymap
!
interface FastEthernet0/1
 ip address 10.2.0.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 192.168.0.0 255.255.255.0 192.168.1.2
!
<omitted several lines>
!
access-list 100 permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
<omitted several lines>
!
R2#
 
A0089-Mint1 etc # ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64):
  uptime: 2 minutes, since Aug 07 12:06:02 2014
  malloc: sbrk 1867776, mmap 532480, used 701088, free 1166688
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors curl soup unbound ldap sqlite pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm ntru attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led duplicheck radattr addrblock unity
Listening IP addresses:
  192.168.0.1
  10.1.0.1
Connections:
strongswan-router:  192.168.0.1...192.168.1.1  IKEv1
strongswan-router:   local:  [192.168.0.1] uses pre-shared key authentication
strongswan-router:   remote: [192.168.1.1] uses pre-shared key authentication
strongswan-router:   child:  10.1.0.0/24 === 10.2.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
strongswan-router[1]: ESTABLISHED 2 minutes ago, 192.168.0.1[192.168.0.1]...192.168.1.1[192.168.1.1]
strongswan-router[1]: IKEv1 SPIs: d2072b8b790bcf8a_i* 0172409d7563a91c_r, pre-shared key reauthentication in 53 minutes
strongswan-router[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
 
R2#debug crypto ipsec
Crypto IPSEC debugging is on
R2#
*Mar  1 15:46:58.504: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar  1 15:46:58.516: Crypto mapdb : proxy_match
	    src addr     : 0.0.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 15:46:58.520: Crypto mapdb : proxy_match
	    src addr     : 0.0.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 15:46:58.528: map_db_find_best did not find matching map
*Mar  1 15:46:58.528: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 192.168.1.1
*Mar  1 15:46:58.528: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2
*Mar  1 15:46:58.532: Crypto mapdb : proxy_match
	    src addr     : 0.0.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 15:46:58.532: Crypto mapdb : proxy_match
	    src addr     : 0.0.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 15:46:58.532: map_db_find_best did not find matching map
*Mar  1 15:46:58.532: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 192.168.1.1
*Mar  1 15:46:58.532: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar  1 15:46:58.532: Crypto mapdb : proxy_match
	    src addr     : 0.0.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 15:46:58.532: Crypto mapdb : proxy_match
	    src addr     : 0.0.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 15:46:58.532: map_db_find_best did not find matching map
*Mar  1 15:46:58.532: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 192.168.1.1
*Mar  1 15:46:58.540: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at 192.168.0.1
R2#
 


Please consider the environment before printing this email

*********************************************************************
  This e-mail and any attachments are confidential.  If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it.  If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC.  Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC.  The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC.  This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses.  PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.  ********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140807/389c1759/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: topology.png
Type: image/png
Size: 38272 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140807/389c1759/attachment-0001.png>


More information about the Users mailing list