[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
MOHIT CHALLA (mochalla)
mochalla at cisco.com
Mon Jan 18 16:34:48 CET 2021
Hi George,
I am not 100% sure what is causing the issue, but there are a couple of things which I notice.
Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too.
So you can try either of this:
1. Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0 on StrongSwan
2. Leave the ASR config as it is and configure on StrongSwan:
* leftprotoport=gre
* leftsubnet=0.0.0.0/0
* rightprotoport=gre
* rightsubnet=0.0.0.0/0
Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself.
Thanks,
Mohit
From: Users <users-bounces at lists.strongswan.org> on behalf of Volodymyr Litovka <doka.ua at gmx.com>
Date: Monday, 18 January 2021 at 5:15 PM
To: george live <georgelive2020 at gmail.com>, "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
Hi George,
I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following:
! This is IKE encryption
crypto isakmp policy 10
encryption ...
hash ...
group ...
...
! This is ESP encryption
crypto ipsec transform-set myset ...
!
crypto ipsec profile myprofile
...
set transform-set myset
!
int tun151
...
tunnel protection ipsec profile myprofile
and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter.
Hope this'll help.
On 14.01.2021 22:38, george live wrote:
Hi all,
I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'.
It is a ikev1, aes256, sha1 and df group 2.
Below are the configs:
Strongswan
=========
config setup
charondebug="ike 1, knl 0, cfg 0"
conn BRKTUNEL
authby=secret
auto=route
dpddelay=10
dpdtimeout=30
dpdaction=restart
esp=aes256-sha-modp1024
ike=aes256-sha-modp1024
ikelifetime=86400s
lifetime=1h
keyexchange=ikev1
keyingtries=%forever
rekey=yes
forceencaps=yes
# Specifics
left=2.2.2.2 # Local private ip
leftsubnet=%dynamic[gre] # Local VPC Subnet
leftid=2.2.2.2
leftfirewall=yes
rightfirewall=no
right=1.1.1.1 # Remote Tunnel IP
rightid=%any
rightsubnet=%dynamic[gre] # Remote VPC Subnet
type=tunnel
Customer ASR config
================
crypto isakmp profile abcd
description Default profile
vrf 10
keyring cust_key
match identity address 2.2.2.2
keepalive 10 retry 2
local-address 1.1.1.1
!
crypto keyring cust_key vrf 10
description Key ring for vrf 10 peers
local-address customer_ip vrf
pre-shared-key address 2.2.2.2 key xxxxxxxxx
!
crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ipsec
set transform-set cust1-xform
set pfs group2
set isakmp-profile abcd
!
interface Tunnel151
description AWS
vrf forwarding 10
ip address 169.254.128.1 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel vrf 10
tunnel protection ipsec profile ipsec
ip virtual-reassembly
The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN'
Any help is appreciated.
Thanks,
George
--
Volodymyr Litovka
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210118/f0de4449/attachment-0001.html>
More information about the Users
mailing list