[strongSwan] Incorrect Phase II for Cisco IOS Transport VPN

John Marrett johnf at zioncluster.ca
Sat Apr 18 14:56:57 CEST 2015 

I'm trying to build a gre tunnel / transport based IPSec VPN between a
Cisco IOS router and a device running strongswan on openwrt. I successfully
negotiate phase 1 but then fail to negotiate phase 2.

The Cisco device indicates proxy identities are not supported, which would
suggest that the IPSec session is being negotiated with the wrong IP
addresses. Here are the log messages from the Cisco device:

.Apr 18 08:26:03.870: ISAKMP:(13414):Checking IPSec proposal 0
.Apr 18 08:26:03.870: ISAKMP: transform 1, ESP_AES
.Apr 18 08:26:03.870: ISAKMP:   attributes in transform:
.Apr 18 08:26:03.870: ISAKMP:      key length is 128
.Apr 18 08:26:03.870: ISAKMP:      authenticator is HMAC-SHA512
.Apr 18 08:26:03.870: ISAKMP:      encaps is 2 (Transport)
.Apr 18 08:26:03.870: ISAKMP:      SA life type in seconds
.Apr 18 08:26:03.870: ISAKMP:      SA life duration (basic) of 3600
.Apr 18 08:26:03.870: ISAKMP:(13414):atts are acceptable.
.Apr 18 08:26:03.870: IPSEC(ipsec_process_proposal): proxy identities not
supported
.Apr 18 08:26:03.870: ISAKMP:(13414): IPSec policy invalidated proposal
with error 32
.Apr 18 08:26:03.870: ISAKMP:(13414): phase 2 SA policy not acceptable!
(local x.x.x.x remote 10.2.0.29)

And here is the configuration for strongswan. I had originally omitted the
subnet definitions but I added them to ensure that the correct subnets were
specified.

conn host-host
    left=10.2.0.29
    leftid=10.2.0.29
    leftsubnet=10.2.0.29/32
    right=x.x.x.x
    rightid=x.x.x.x
    rightsubnet=x.x.x.x/32
    type=transport
    auto=start
    keyexchange=ikev1
    ike=aes128-sha256-modp4096!
    esp=aes128-sha512!
    authby=secret

I am running strongswan 5.2.2 on Openwrt. The Cisco router is running a dev
special release of 15.3(3)M3.2.

Thank you in advance for your help,

-JohnF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150418/4161c023/attachment.html>

More information about the Users mailing list