[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Mon Jan 18 13:34:51 CET 2021


Hi all,

Please provide logs as shown on the HelpRequests page[1] on the wiki.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

Am 18.01.21 um 12:44 schrieb Volodymyr Litovka:
> Hi George,
> 
> I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following:
> 
> ! This is IKE encryption
> crypto isakmp policy 10
>    encryption ...
>    hash ...
>    group ...
>    ...
> ! This is ESP encryption
> crypto ipsec transform-set myset ...
> !
> crypto ipsec profile myprofile
>    ...
>    set transform-set myset
> !
> int tun151
>   ...
>   tunnel protection ipsec profile myprofile
> 
> and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter.
> 
> Hope this'll help.
> 
> On 14.01.2021 22:38, george live wrote:
>> Hi all,
>> I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'.
>>
>> It is a ikev1, aes256, sha1 and df group 2.
>>
>> Below are the configs:
>>
>> Strongswan
>> =========
>> config setup
>>     charondebug="ike 1, knl 0, cfg 0"
>> conn BRKTUNEL
>>     authby=secret
>>      auto=route
>>      dpddelay=10
>>      dpdtimeout=30
>>      dpdaction=restart
>>      esp=aes256-sha-modp1024
>>      ike=aes256-sha-modp1024
>>      ikelifetime=86400s
>>      lifetime=1h
>>      keyexchange=ikev1
>>      keyingtries=%forever
>>      rekey=yes
>>      forceencaps=yes
>>      # Specifics
>>      left=2.2.2.2            # Local private ip
>>      leftsubnet=%dynamic[gre]   # Local VPC Subnet
>>      leftid=2.2.2.2
>>      leftfirewall=yes
>>      rightfirewall=no
>>      right=1.1.1.1       # Remote Tunnel IP
>>      rightid=%any
>>      rightsubnet=%dynamic[gre] # Remote VPC Subnet
>>      type=tunnel
>>
>> Customer ASR config
>> ================
>> crypto isakmp profile abcd
>> description Default profile
>> vrf 10
>> keyring cust_key
>> match identity address 2.2.2.2
>> keepalive 10 retry 2
>> local-address 1.1.1.1
>> !
>> crypto keyring cust_key vrf 10
>> description Key ring for vrf 10 peers
>> local-address customer_ip vrf
>> pre-shared-key address 2.2.2.2 key xxxxxxxxx
>> !
>> crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
>> mode tunnel
>> !
>> crypto ipsec profile ipsec
>> set transform-set cust1-xform
>> set pfs group2
>> set isakmp-profile abcd
>> !
>> interface Tunnel151
>> description AWS
>> vrf forwarding 10
>> ip address 169.254.128.1 255.255.255.252
>> ip tcp adjust-mss 1379
>> tunnel source 1.1.1.1
>> tunnel destination 2.2.2.2
>> tunnel vrf 10
>> tunnel protection ipsec profile ipsec
>> ip virtual-reassembly
>>
>> The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN'
>>
>> Any help is appreciated.
>>
>> Thanks,
>> George
> 
> --
> Volodymyr Litovka
>    "Vision without Execution is Hallucination." -- Thomas Edison
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210118/7494ff52/attachment.sig>


More information about the Users mailing list