[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

Volodymyr Litovka doka.ua at gmx.com
Mon Jan 18 12:44:49 CET 2021 

Hi George,

I don't remember exactly Cisco's commands to configure encryption, but
it seems you config misses encryption settings for IKE negotiation. Your
config on Cisco side should looks like the following:

! This is IKE encryption
crypto isakmp policy 10
   encryption ...
   hash ...
   group ...
   ...
! This is ESP encryption
crypto ipsec transform-set myset ...
!
crypto ipsec profile myprofile
   ...
   set transform-set myset
!
int tun151
  ...
  tunnel protection ipsec profile myprofile

and IKE encryption (isakmp policy) must match "ike" parameter in
connection definition, while ESP encryption (ipsec transform-set) must
match "esp" parameter.

Hope this'll help.

On 14.01.2021 22:38, george live wrote:
> Hi all,
> I am using strongswan version 5.3 on aws cloud and trying to set ipsec
> with a ciscoasr in customer site. It is not a complex scenario but the
> logs are telling me that strongswan is saying 'no proposals chosen'.
>
> It is a ikev1, aes256, sha1 and df group 2.
>
> Below are the configs:
>
> Strongswan
> =========
> config setup
>     charondebug="ike 1, knl 0, cfg 0"
> conn BRKTUNEL
>     authby=secret
>      auto=route
>      dpddelay=10
>      dpdtimeout=30
>      dpdaction=restart
>      esp=aes256-sha-modp1024
>      ike=aes256-sha-modp1024
>      ikelifetime=86400s
>      lifetime=1h
>      keyexchange=ikev1
>      keyingtries=%forever
>      rekey=yes
>      forceencaps=yes
>      # Specifics
>      left=2.2.2.2            # Local private ip
>      leftsubnet=%dynamic[gre]   # Local VPC Subnet
>      leftid=2.2.2.2
>      leftfirewall=yes
>      rightfirewall=no
>      right=1.1.1.1       # Remote Tunnel IP
>      rightid=%any
>      rightsubnet=%dynamic[gre] # Remote VPC Subnet
>      type=tunnel
>
> Customer ASR config
> ================
> crypto isakmp profile abcd
> description Default profile
> vrf 10
> keyring cust_key
> match identity address 2.2.2.2
> keepalive 10 retry 2
> local-address 1.1.1.1
> !
> crypto keyring cust_key vrf 10
> description Key ring for vrf 10 peers
> local-address customer_ip vrf
> pre-shared-key address 2.2.2.2 key xxxxxxxxx
> !
> crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
> mode tunnel
> !
> crypto ipsec profile ipsec
> set transform-set cust1-xform
> set pfs group2
> set isakmp-profile abcd
> !
> interface Tunnel151
> description AWS
> vrf forwarding 10
> ip address 169.254.128.1 255.255.255.252
> ip tcp adjust-mss 1379
> tunnel source 1.1.1.1
> tunnel destination 2.2.2.2
> tunnel vrf 10
> tunnel protection ipsec profile ipsec
> ip virtual-reassembly
>
> The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2,
> sending NO_PROPOSAL_CHOSEN'
>
> Any help is appreciated.
>
> Thanks,
> George

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210118/70faae33/attachment.html>

More information about the Users mailing list