[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
MOHIT CHALLA (mochalla)
mochalla at cisco.com
Mon Jan 18 16:34:48 CET 2021
I am not 100% sure what is causing the issue, but there are a couple of things which I notice.
Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too.
So you can try either of this:
1. Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0 on StrongSwan
2. Leave the ASR config as it is and configure on StrongSwan:
Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself.
From: Users <users-bounces at lists.strongswan.org> on behalf of Volodymyr Litovka <doka.ua at gmx.com>
Date: Monday, 18 January 2021 at 5:15 PM
To: george live <georgelive2020 at gmail.com>, "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following:
! This is IKE encryption
crypto isakmp policy 10
! This is ESP encryption
crypto ipsec transform-set myset ...
crypto ipsec profile myprofile
set transform-set myset
tunnel protection ipsec profile myprofile
and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter.
Hope this'll help.
On 14.01.2021 22:38, george live wrote:
I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'.
It is a ikev1, aes256, sha1 and df group 2.
Below are the configs:
charondebug="ike 1, knl 0, cfg 0"
left=18.104.22.168 # Local private ip
leftsubnet=%dynamic[gre] # Local VPC Subnet
right=22.214.171.124 # Remote Tunnel IP
rightsubnet=%dynamic[gre] # Remote VPC Subnet
Customer ASR config
crypto isakmp profile abcd
description Default profile
match identity address 126.96.36.199
keepalive 10 retry 2
crypto keyring cust_key vrf 10
description Key ring for vrf 10 peers
local-address customer_ip vrf
pre-shared-key address 188.8.131.52 key xxxxxxxxx
crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
crypto ipsec profile ipsec
set transform-set cust1-xform
set pfs group2
set isakmp-profile abcd
vrf forwarding 10
ip address 169.254.128.1 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 184.108.40.206
tunnel destination 220.127.116.11
tunnel vrf 10
tunnel protection ipsec profile ipsec
The debug logs says 'no IKE config found for 18.104.22.168...22.214.171.124, sending NO_PROPOSAL_CHOSEN'
Any help is appreciated.
"Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users