[strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

[MOHIT CHALLA (mochalla)]

[Correction]

Hi George,

Sorry, I made a blunder in the earlier respone…I mixed up IPsec TS_UNACCEPTABLE with IKE proposals.

I just checked, and the debug ouput you posted is in-fact originating because of the IKE proposal mismatch.

Basically, Cisco uses default ISAKMP profiles under the hood unless the user explicitly configures an ISAKMP policy (in which case the system default is then overriden with user configured policy).
So, in your case, there does not seem to a user configured ISAKMP policy, due to which the system default is being used and the same is not matching with the IKE config on StrongSwan.

What default policies are configured by the system on the ASR depends on the software version. So you can check this with ‘show crypto isakmp default policy’.

Either way, DH group 2 and AES have been long considered unsafe and are probably not configured as a system default, so you will have to configure an ISAKMP policy with these settings explicitly.

In a nutshell:

  1.  change the config parameters on StrongSwan side to match system defaults of the ASR
  2.  Or, explicity configure a policy on ASR to match the StrongSwan setting like this example:
crypto isakmp policy 1
           encryption aes
           authentication pre-share
           group 2

With this change your IKE SA should come up. I am guessing CHILD_SA will also come up with your exsiting config, if not you can try the suggestion I had given in the earlier mail for that.

Thanks,
Mohit


From: Users <users-bounces at lists.strongswan.org> on behalf of "MOHIT CHALLA (mochalla)" <mochalla at cisco.com>
Date: Monday, 18 January 2021 at 9:05 PM
To: Volodymyr Litovka <doka.ua at gmx.com>, george live <georgelive2020 at gmail.com>, "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3

Hi George,

I am not 100% sure what is causing the issue, but there are a couple of things which I notice.

Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too.

So you can try either of this:

  1.  Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0 on StrongSwan
  2.  Leave the ASR config as it is and configure on StrongSwan:
     *   leftprotoport=gre
     *   leftsubnet=0.0.0.0/0
     *   rightprotoport=gre
     *   rightsubnet=0.0.0.0/0

Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself.

Thanks,
Mohit


From: Users <users-bounces at lists.strongswan.org> on behalf of Volodymyr Litovka <doka.ua at gmx.com>
Date: Monday, 18 January 2021 at 5:15 PM
To: george live <georgelive2020 at gmail.com>, "users at lists.strongswan.org" <users at lists.strongswan.org>
Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3


Hi George,

I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following:

! This is IKE encryption
crypto isakmp policy 10
  encryption ...
  hash ...
  group ...
  ...
! This is ESP encryption
crypto ipsec transform-set myset ...
!
crypto ipsec profile myprofile
  ...
  set transform-set myset
!
int tun151
 ...
 tunnel protection ipsec profile myprofile

and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter.

Hope this'll help.
On 14.01.2021 22:38, george live wrote:
Hi all,
I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'.

It is a ikev1, aes256, sha1 and df group 2.

Below are the configs:

Strongswan
=========
config setup
    charondebug="ike 1, knl 0, cfg 0"
conn BRKTUNEL
    authby=secret
     auto=route
     dpddelay=10
     dpdtimeout=30
     dpdaction=restart
     esp=aes256-sha-modp1024
     ike=aes256-sha-modp1024
     ikelifetime=86400s
     lifetime=1h
     keyexchange=ikev1
     keyingtries=%forever
     rekey=yes
     forceencaps=yes
     # Specifics
     left=2.2.2.2            # Local private ip
     leftsubnet=%dynamic[gre]   # Local VPC Subnet
     leftid=2.2.2.2
     leftfirewall=yes
     rightfirewall=no
     right=1.1.1.1       # Remote Tunnel IP
     rightid=%any
     rightsubnet=%dynamic[gre] # Remote VPC Subnet
     type=tunnel

Customer ASR config
================
crypto isakmp profile abcd
description Default profile
vrf 10
keyring cust_key
match identity address 2.2.2.2
keepalive 10 retry 2
local-address 1.1.1.1
!
crypto keyring cust_key vrf 10
description Key ring for vrf 10 peers
local-address customer_ip vrf
pre-shared-key address 2.2.2.2 key xxxxxxxxx
!
crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ipsec
set transform-set cust1-xform
set pfs group2
set isakmp-profile abcd
!
interface Tunnel151
description AWS
vrf forwarding 10
ip address 169.254.128.1 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 1.1.1.1
tunnel destination 2.2.2.2
tunnel vrf 10
tunnel protection ipsec profile ipsec
ip virtual-reassembly

The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN'

Any help is appreciated.

Thanks,
George

--

Volodymyr Litovka

  "Vision without Execution is Hallucination." -- Thomas Edison
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210118/6b3fb2c9/attachment-0001.html>