[strongSwan] Matching Cisco "esp-3des esp-sha256-hmac" to strongswan config

Wed Jan 5 13:21:22 CET 2022

On 1/5/22 11:12 AM, Adam Cécile wrote:
> Hello,
>
>
> I'm replacing a Cisco endpoint with Strongswan sadly all I tried ended 
> up in NO_PROPOSAL_CHOSEN...
>
> The relevant Cisco bits (which is connecting with peer just fine) is: 
> crypto ipsec transform-set TunnelName esp-3des esp-sha256-hmac
>
>
> Can someone help me converting this into Strongswan ike/esp config 
> options (and I also would be very interested in understanding how to 
> do such conversion...)
>
>
> Thanks in advance,
>
> Best regards, Adam.
>
Here is the detail of the connection being established on the Cisco 
which is aimed to be replaced:

interface: GigabitEthernet0/0/1
     Crypto map tag: MapName, local addr 1.1.1.1

    protected vrf: (none)
    local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
    remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
    current_peer 2.2.2.2 port 500
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 247, #pkts encrypt: 247, #pkts digest: 247
     #pkts decaps: 276, #pkts decrypt: 276, #pkts verify: 276
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 0, #recv errors 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
      plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb 
GigabitEthernet0/0/1
      current outbound spi: 0x2CA0EB8F(748743567)
      PFS (Y/N): N, DH group: none

      inbound esp sas:
       spi: 0xC2B47C97(3266608279)
         transform: esp-3des esp-sha256-hmac ,
         in use settings ={Tunnel, }
         conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80000048, 
crypto map: MapName
         sa timing: remaining key lifetime (k/sec): (4607846/2940)
         IV size: 8 bytes
         replay detection support: Y  replay window size: 128
         Status: ACTIVE(ACTIVE)

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:
       spi: 0x2CA0EB8F(748743567)
         transform: esp-3des esp-sha256-hmac ,
         in use settings ={Tunnel, }
         conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80000048, 
crypto map: MapName
         sa timing: remaining key lifetime (k/sec): (4607966/2940)
         IV size: 8 bytes
         replay detection support: Y  replay window size: 128
         Status: ACTIVE(ACTIVE)

      outbound ah sas:

      outbound pcp sas: