[strongSwan] Problem setting IPSEC between StrongSwan and Cisco router
Łukasz Wójcik
lukasz.wojcik at zoho.com
Tue Jan 1 22:27:29 CET 2019
Hello people,
I was hoping to find some clues about what's wrong with my config. I am
trying to build a very simple connection (host-to-host) between
two machines. One being CISCO router, and other running StrongSwan. The
problem is that I'm getting:
"There was no IPSEC policy found for received TS" on Cisco side, and:
"[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built" On StrongSwan
side.
I've checked that config million times and I
My SS config is as follows:
1 connections {
2 MAIN {
3 local_addrs = 192.168.200.2
4 remote_addrs = 192.168.200.1
5 #proposals = default
6 proposals = aes128-sha256-modp2048
7 local {
8 auth = psk
9 }
10 remote {
11 auth = psk
12 }
13 children {
14 XXX {
15 esp_proposals = aes128-sha1
16 rekey_time = 10m
17 mode = transport
18 local_ts = 192.168.200.0/24
19 remote_ts = 192.168.200.0/24
20 }
21 }
22 version = 2
23 mobike = no
24 }
25 }
26
27 secrets {
28 ike-XXX {
29 secret = secret
30 }
31 ike-MAIN {
32 secret = secret
33 }
34 }
And CISCO config:
crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-128 aes-cbc-256 3des des
integrity md5 sha1 sha256 sha384 sha512
group 14
!
crypto ikev2 policy IKEPOLICYANY
match fvrf any
proposal ikev2-proposal
!
crypto ikev2 keyring KEYRING
peer any
address 0.0.0.0 0.0.0.0
pre-shared-key secret
!
peer 192.168.200.1
address 192.168.200.1
pre-shared-key local secret
pre-shared-key remote secret
!
peer 192.168.200.2
address 192.168.200.2
pre-shared-key local secret
pre-shared-key remote secret
!
!
!
crypto ikev2 profile IKEPROFILE2
match address local 192.168.200.1
match identity remote address 192.168.200.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
!
!
!
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile IPSECPROFILE
set transform-set TS
set ikev2-profile IKEPROFILE2
!
!
!
!
!
!
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip ospf network broadcast
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSECPROFILE
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.200.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/2
ip address dhcp
shutdown
duplex auto
speed auto
!
router ospf 1
network 10.255.255.0 0.0.0.0 area 0
network 10.255.255.0 0.0.0.255 area 0
network 192.168.200.0 0.0.0.0 area 1
network 192.168.200.0 0.0.0.255 area 1
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 192.168.222.2 255.255.255.255 10.255.255.3
ip route 192.168.223.1 255.255.255.255 10.255.255.2
!
!
!
access-list 1 permit any
access-list 100 permit ip any any log
Here's the output I get when trying to initiate connection:
STRONGSWAN:
[IKE] initiating IKE_SA MAIN[57] to 192.168.200.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.200.2[500] to 192.168.200.1[500] (466
bytes)
[NET] received packet: from 192.168.200.1[500] to 192.168.200.2[500]
(464 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP)
N(NATD_D_IP) ]
[IKE] received Cisco Delete Reason vendor ID
[ENC] received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
[CFG] no IDi configured, fall back on IP address
[IKE] authentication of '192.168.200.2' (myself) with pre-shared key
[IKE] establishing CHILD_SA XXX{50}
[ENC] generating IKE_AUTH request 1 [ IDi AUTH N(USE_TRANSP)
N(ESP_TFC_PAD_N) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 192.168.200.2[500] to 192.168.200.1[500] (256
bytes)
[NET] received packet: from 192.168.200.1[500] to 192.168.200.2[500]
(160 bytes)
[ENC] parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]
[IKE] authentication of '192.168.200.1' with pre-shared key successful
[IKE] IKE_SA MAIN[57] established between
192.168.200.2[192.168.200.2]...192.168.200.1[192.168.200.1]
[IKE] scheduling rekeying in 13431s
[IKE] maximum IKE_SA lifetime 14871s
[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
[IKE] failed to establish CHILD_SA, keeping IKE_SA
initiate failed: establishing CHILD_SA 'XXX' failed
---
CISCO:
*Jan 1 21:01:20.384: IKEv2:Received Packet [From 192.168.200.2:500/To
192.168.200.1:500/VRF i0:f0]
Initiator SPI : 00E9CC4838C9F0BC - Responder SPI : 0000000000000000
Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430)
NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
*Jan 1 21:01:20.384: IKEv2:(SESSION ID = 123,SA ID = 1):Verify SA init
message
*Jan 1 21:01:20.384: IKEv2:(SESSION ID = 123,SA ID = 1):Insert SA
*Jan 1 21:01:20.384: IKEv2:Searching Policy with fvrf 0, local address
192.168.200.1
*Jan 1 21:01:20.384: IKEv2:Found Policy 'IKEPOLICYANY'
*Jan 1 21:01:20.384: IKEv2:(SESSION ID = 123,SA ID = 1):Processing
IKE_SA_INIT message
*Jan 1 21:01:20.384: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jan 1 21:01:20.388: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): NONE
*Jan 1 21:01:20.388: IKEv2:Failed to retrieve Certificate Issuer list
*Jan 1 21:01:20.388: IKEv2:(SESSION ID = 123,SA ID = 1):[IKEv2 ->
Crypto Engine] Computing DH public key, DH Group 14
*Jan 1 21:01:20.388: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key
Computation PASSED
*Jan 1 21:01:20.388: IKEv2:(SESSION ID = 123,SA ID = 1):Request queued
for computation of DH key
*Jan 1 21:01:20.388: IKEv2:(SESSION ID = 123,SA ID = 1):[IKEv2 ->
Crypto Engine] Computing DH secret key, DH Group 14
*Jan 1 21:01:20.544: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key
Computation PASSED
*Jan 1 21:01:20.544: IKEv2:(SESSION ID = 123,SA ID = 1):Request queued
for computation of DH secret
*Jan 1 21:01:20.544: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine]
Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 1 21:01:20.544: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2]
SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 1 21:01:20.544: IKEv2:IKEv2 responder - no config data to send in
IKE_SA_INIT exch
*Jan 1 21:01:20.544: IKEv2:(SESSION ID = 123,SA ID = 1):Generating
IKE_SA_INIT message
*Jan 1 21:01:20.544: IKEv2:(SESSION ID = 123,SA ID = 1):IKE Proposal:
1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
*Jan 1 21:01:20.544: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve
configured trustpoint(s)
*Jan 1 21:01:20.544: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved
trustpoint(s): NONE
*Jan 1 21:01:20.544: IKEv2:Failed to retrieve Certificate Issuer list
*Jan 1 21:01:20.548: IKEv2:(SESSION ID = 123,SA ID = 1):Sending Packet
[To 192.168.200.2:500/From 192.168.200.1:500/VRF i0:f0]
Initiator SPI : 00E9CC4838C9F0BC - Responder SPI : 4829112827DEB809
Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP)
NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Jan 1 21:01:20.548: IKEv2:(SESSION ID = 123,SA ID = 1):Completed SA
init exchange
*Jan 1 21:01:20.548: IKEv2:(SESSION ID = 123,SA ID = 1):Starting timer
(30 sec) to wait for auth message
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Received Packet
[From 192.168.200.2:500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : 00E9CC4838C9F0BC - Responder SPI : 4829112827DEB809
Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi AUTH NOTIFY(USE_TRANSPORT_MODE) NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi
TSr NOTIFY(Unknown - 16417) NOTIFY(Unknown - 16420)
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Stopping timer
to wait for auth message
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Checking NAT
discovery
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):NAT not found
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Searching
policy based on peer's identity '192.168.200.2' of type 'IPv4 address'
*Jan 1 21:01:20.584: IKEv2:found matching IKEv2 profile 'IKEPROFILE2'
*Jan 1 21:01:20.584: IKEv2:% Getting preshared key from profile keyring
KEYRING
*Jan 1 21:01:20.584: IKEv2:% Matched peer block '192.168.200.2'
*Jan 1 21:01:20.584: IKEv2:Searching Policy with fvrf 0, local address
192.168.200.1
*Jan 1 21:01:20.584: IKEv2:Found Policy 'IKEPOLICYANY'
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Verify peer's
policy
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Peer's policy
verified
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Get peer's
authentication method
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Peer's
authentication method is 'PSK'
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Get peer's
preshared key for 192.168.200.2
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Verify peer's
authentication data
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Use preshared
key for id 192.168.200.2, key len 6
*Jan 1 21:01:20.584: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2
authentication data
*Jan 1 21:01:20.584: IKEv2:[Crypto Engine -> IKEv2] IKEv2
authentication data generation PASSED
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Verification of
peer's authenctication data PASSED
*Jan 1 21:01:20.584: IKEv2:(SESSION ID = 123,SA ID = 1):Processing
IKE_AUTH message
*Jan 1 21:01:20.588: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 16370 keysize 128 IDB 0x0
*Jan 1 21:01:20.588: IPSEC(validate_proposal_request): proposal part #1
*Jan 1 21:01:20.588: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.200.1:0, remote= 192.168.200.2:0,
local_proxy= 192.168.200.1/255.255.255.255/256/0,
remote_proxy= 192.168.200.2/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Jan 1 21:01:20.588: map_db_find_best did not find matching map
*Jan 1 21:01:20.588: Cannot find crypto swsb : in
ipsec_process_proposal (), 1590
*Jan 1 21:01:20.588: IPSEC(ipsec_process_proposal): proxy identities
not supported
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):: There was no
IPSEC policy found for received TS
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Sending TS
unacceptable notify
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Get my
authentication method
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):My
authentication method is 'PSK'
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Get peer's
preshared key for 192.168.200.2
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Generate my
authentication data
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Use preshared
key for id 192.168.200.1, key len 6
*Jan 1 21:01:20.588: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2
authentication data
*Jan 1 21:01:20.588: IKEv2:[Crypto Engine -> IKEv2] IKEv2
authentication data generation PASSED
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Get my
authentication method
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):My
authentication method is 'PSK'
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Generating
IKE_AUTH message
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Constructing
IDr payload: '192.168.200.1' of type 'IPv4 address'
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Building packet
for encryption.
Payload contents:
VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)
*Jan 1 21:01:20.588: IKEv2:(SESSION ID = 123,SA ID = 1):Sending Packet
[To 192.168.200.2:500/From 192.168.200.1:500/VRF i0:f0]
Initiator SPI : 00E9CC4838C9F0BC - Responder SPI : 4829112827DEB809
Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 1 21:01:20.592: IKEv2:(SESSION ID = 123,SA ID = 1):IKEV2 SA
created; inserting SA into database. SA lifetime timer (86400 sec) started
*Jan 1 21:01:20.592: IKEv2:(SESSION ID = 123,SA ID = 1):Session with
IKE ID PAIR (192.168.200.2, 192.168.200.1) is UP
*Jan 1 21:01:20.592: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Jan 1 21:01:20.592: IKEv2:(SESSION ID = 123,SA ID = 1):Checking for
duplicate IKEv2 SA
*Jan 1 21:01:20.592: IKEv2:(SESSION ID = 123,SA ID = 1):No duplicate
IKEv2 SA found
*Jan 1 21:01:20.592: IKEv2:(SESSION ID = 123,SA ID = 1):Starting timer
(8 sec) to delete negotiation context
I would really appreciate any clues..
Best regards,
-ŁW
More information about the Users
mailing list