[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

george live georgelive2020 at gmail.com
Thu Jan 14 21:38:00 CET 2021 

Hi all,
I am using strongswan version 5.3 on aws cloud and trying to set ipsec with
a ciscoasr in customer site. It is not a complex scenario but the logs are
telling me that strongswan is saying 'no proposals chosen'.

It is a ikev1, aes256, sha1 and df group 2.

Below are the configs:

Strongswan
=========
config setup
    charondebug="ike 1, knl 0, cfg 0"
conn BRKTUNEL
    authby=secret
     auto=route
     dpddelay=10
     dpdtimeout=30
     dpdaction=restart
     esp=aes256-sha-modp1024
     ike=aes256-sha-modp1024
     ikelifetime=86400s
     lifetime=1h
     keyexchange=ikev1
     keyingtries=%forever
     rekey=yes
     forceencaps=yes
     # Specifics
     left=2.2.2.2            # Local private ip
     leftsubnet=%dynamic[gre]   # Local VPC Subnet
     leftid=2.2.2.2
     leftfirewall=yes
     rightfirewall=no
     right=1.1.1.1       # Remote Tunnel IP
     rightid=%any
     rightsubnet=%dynamic[gre] # Remote VPC Subnet
     type=tunnel

Customer ASR config
================
crypto isakmp profile abcd
description Default profile
vrf 10
keyring cust_key
match identity address 2.2.2.2
keepalive 10 retry 2
local-address 1.1.1.1
!
crypto keyring cust_key vrf 10
description Key ring for vrf 10 peers
local-address customer_ip vrf
pre-shared-key address 2.2.2.2 key xxxxxxxxx
!
crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ipsec
set transform-set cust1-xform
set pfs group2
set isakmp-profile abcd
!
interface Tunnel151
description AWS
vrf forwarding 10
ip address 169.254.128.1 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel vrf 10
tunnel protection ipsec profile ipsec
ip virtual-reassembly

The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending
NO_PROPOSAL_CHOSEN'

Any help is appreciated.

Thanks,
George
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210114/ddb0e322/attachment.html>

More information about the Users mailing list