[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

MOHIT CHALLA (mochalla) mochalla at cisco.com
Mon Jan 18 16:34:48 CET 2021

Hi George,

I am not 100% sure what is causing the issue, but there are a couple of things which I notice.

Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too.

So you can try either of this:

  1.  Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet= && rightsubnet= on StrongSwan
  2.  Leave the ASR config as it is and configure on StrongSwan:
     *   leftprotoport=gre
     *   leftsubnet=
     *   rightprotoport=gre
     *   rightsubnet=

Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself.


From: Users <users-bounces at lists.strongswan.org> on behalf of Volodymyr Litovka <doka.ua at gmx.com>
Date: Monday, 18 January 2021 at 5:15 PM
To: george live <georgelive2020 at gmail.com>, "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

Hi George,

I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following:

! This is IKE encryption
crypto isakmp policy 10
  encryption ...
  hash ...
  group ...
! This is ESP encryption
crypto ipsec transform-set myset ...
crypto ipsec profile myprofile
  set transform-set myset
int tun151
 tunnel protection ipsec profile myprofile

and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter.

Hope this'll help.
On 14.01.2021 22:38, george live wrote:
Hi all,
I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'.

It is a ikev1, aes256, sha1 and df group 2.

Below are the configs:

config setup
    charondebug="ike 1, knl 0, cfg 0"
     # Specifics
     left=            # Local private ip
     leftsubnet=%dynamic[gre]   # Local VPC Subnet
     right=       # Remote Tunnel IP
     rightsubnet=%dynamic[gre] # Remote VPC Subnet

Customer ASR config
crypto isakmp profile abcd
description Default profile
vrf 10
keyring cust_key
match identity address
keepalive 10 retry 2
crypto keyring cust_key vrf 10
description Key ring for vrf 10 peers
local-address customer_ip vrf
pre-shared-key address key xxxxxxxxx
crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile ipsec
set transform-set cust1-xform
set pfs group2
set isakmp-profile abcd
interface Tunnel151
description AWS
vrf forwarding 10
ip address
ip tcp adjust-mss 1379
tunnel source
tunnel destination
tunnel vrf 10
tunnel protection ipsec profile ipsec
ip virtual-reassembly

The debug logs says 'no IKE config found for, sending NO_PROPOSAL_CHOSEN'

Any help is appreciated.



Volodymyr Litovka

  "Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210118/f0de4449/attachment-0001.html>

More information about the Users mailing list