[strongSwan] Matching Cisco "esp-3des esp-sha256-hmac" to strongswan config

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Jan 5 20:15:50 CET 2022


Hello Adam,

I propose the following config:

ike=3des-sha2_256-modp1024!
esp=3des-sha2_256!

No DH group in ESP because ...

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
      plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
      current outbound spi: 0x2CA0EB8F(748743567)
      PFS (Y/N): N, DH group: none


The IKE and ESP proposals are probably nearly identical as I assumed when writing the ones above.
But to be sure you'd need to check these things.

Kind regards
Noel


Am 05.01.22 um 13:57 schrieb Adam Cécile:
> On 1/5/22 1:21 PM, Adam Cécile wrote:
>> On 1/5/22 11:12 AM, Adam Cécile wrote:
>>> Hello,
>>>
>>>
>>> I'm replacing a Cisco endpoint with Strongswan sadly all I tried ended up in NO_PROPOSAL_CHOSEN...
>>>
>>> The relevant Cisco bits (which is connecting with peer just fine) is: crypto ipsec transform-set TunnelName esp-3des esp-sha256-hmac
>>>
>>>
>>> Can someone help me converting this into Strongswan ike/esp config options (and I also would be very interested in understanding how to do such conversion...)
>>>
>>>
>>> Thanks in advance,
>>>
>>> Best regards, Adam.
>>>
>> Here is the detail of the connection being established on the Cisco which is aimed to be replaced:
>>
>> interface: GigabitEthernet0/0/1
>>     Crypto map tag: MapName, local addr 1.1.1.1
>>
>>    protected vrf: (none)
>>    local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
>>    remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
>>    current_peer 2.2.2.2 port 500
>>      PERMIT, flags={origin_is_acl,}
>>     #pkts encaps: 247, #pkts encrypt: 247, #pkts digest: 247
>>     #pkts decaps: 276, #pkts decrypt: 276, #pkts verify: 276
>>     #pkts compressed: 0, #pkts decompressed: 0
>>     #pkts not compressed: 0, #pkts compr. failed: 0
>>     #pkts not decompressed: 0, #pkts decompress failed: 0
>>     #send errors 0, #recv errors 0
>>
>>      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
>>      plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
>>      current outbound spi: 0x2CA0EB8F(748743567)
>>      PFS (Y/N): N, DH group: none
>>
>>      inbound esp sas:
>>       spi: 0xC2B47C97(3266608279)
>>         transform: esp-3des esp-sha256-hmac ,
>>         in use settings ={Tunnel, }
>>         conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80000048, crypto map: MapName
>>         sa timing: remaining key lifetime (k/sec): (4607846/2940)
>>         IV size: 8 bytes
>>         replay detection support: Y  replay window size: 128
>>         Status: ACTIVE(ACTIVE)
>>
>>      inbound ah sas:
>>
>>      inbound pcp sas:
>>
>>      outbound esp sas:
>>       spi: 0x2CA0EB8F(748743567)
>>         transform: esp-3des esp-sha256-hmac ,
>>         in use settings ={Tunnel, }
>>         conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80000048, crypto map: MapName
>>         sa timing: remaining key lifetime (k/sec): (4607966/2940)
>>         IV size: 8 bytes
>>         replay detection support: Y  replay window size: 128
>>         Status: ACTIVE(ACTIVE)
>>
>>      outbound ah sas:
>>
>>      outbound pcp sas:
>>
> I'm pretty sure I got the proper ike parameter: ike=3des-sha2_256-modp1024
> 
> After setting this one, I get some more logs from Strongswan:
> 
> Jan  5 12:55:05 vpn ipsec[765]: 13[IKE] <tunnel-name|96> initiating Main Mode IKE_SA tunnel-name[96] to 2.2.2.2
> Jan  5 12:55:05 vpn ipsec[765]: 13[ENC] <tunnel-name|96> generating ID_PROT request 0 [ SA V V V V V ]
> Jan  5 12:55:05 vpn ipsec[765]: 13[NET] <tunnel-name|96> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
> Jan  5 12:55:05 vpn ipsec[765]: 12[NET] <tunnel-name|96> received packet: from 2.2.2.2[500] to 1.1.1.1[500] (96 bytes)
> Jan  5 12:55:05 vpn ipsec[765]: 12[ENC] <tunnel-name|96> parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
> Jan  5 12:55:05 vpn ipsec[765]: 12[IKE] <tunnel-name|96> received NO_PROPOSAL_CHOSEN error notify
> Jan  5 12:55:09 vpn ipsec[765]: 16[IKE] <tunnel-name|98> initiating Main Mode IKE_SA tunnel-name[98] to 2.2.2.2
> Jan  5 12:55:09 vpn ipsec[765]: 16[ENC] <tunnel-name|98> generating ID_PROT request 0 [ SA V V V V V ]
> Jan  5 12:55:09 vpn ipsec[765]: 16[NET] <tunnel-name|98> sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
> 
> Can you confirm these logs mean ike setting is correct ? Any idea regarding esp ? No luck yet...
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220105/47290dcb/attachment.sig>


More information about the Users mailing list