[strongSwan] Matching Cisco "esp-3des esp-sha256-hmac" to strongswan config

Adam Cécile acecile at le-vert.net
Wed Jan 12 10:48:25 CET 2022 

Hello,

Thanks for the reply, sadly this is not working :/

parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP)

Regards, Adam.

On 1/5/22 8:15 PM, Noel Kuntze wrote:
> Hello Adam,
>
> I propose the following config:
>
> ike=3des-sha2_256-modp1024!
> esp=3des-sha2_256!
>
> No DH group in ESP because ...
>
>      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
>      plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb 
> GigabitEthernet0/0/1
>      current outbound spi: 0x2CA0EB8F(748743567)
>      PFS (Y/N): N, DH group: none
>
>
> The IKE and ESP proposals are probably nearly identical as I assumed 
> when writing the ones above.
> But to be sure you'd need to check these things.
>
> Kind regards
> Noel
>
>
> Am 05.01.22 um 13:57 schrieb Adam Cécile:
>> On 1/5/22 1:21 PM, Adam Cécile wrote:
>>> On 1/5/22 11:12 AM, Adam Cécile wrote:
>>>> Hello,
>>>>
>>>>
>>>> I'm replacing a Cisco endpoint with Strongswan sadly all I tried 
>>>> ended up in NO_PROPOSAL_CHOSEN...
>>>>
>>>> The relevant Cisco bits (which is connecting with peer just fine) 
>>>> is: crypto ipsec transform-set TunnelName esp-3des esp-sha256-hmac
>>>>
>>>>
>>>> Can someone help me converting this into Strongswan ike/esp config 
>>>> options (and I also would be very interested in understanding how 
>>>> to do such conversion...)
>>>>
>>>>
>>>> Thanks in advance,
>>>>
>>>> Best regards, Adam.
>>>>
>>> Here is the detail of the connection being established on the Cisco 
>>> which is aimed to be replaced:
>>>
>>> interface: GigabitEthernet0/0/1
>>>     Crypto map tag: MapName, local addr 1.1.1.1
>>>
>>>    protected vrf: (none)
>>>    local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
>>>    remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
>>>    current_peer 2.2.2.2 port 500
>>>      PERMIT, flags={origin_is_acl,}
>>>     #pkts encaps: 247, #pkts encrypt: 247, #pkts digest: 247
>>>     #pkts decaps: 276, #pkts decrypt: 276, #pkts verify: 276
>>>     #pkts compressed: 0, #pkts decompressed: 0
>>>     #pkts not compressed: 0, #pkts compr. failed: 0
>>>     #pkts not decompressed: 0, #pkts decompress failed: 0
>>>     #send errors 0, #recv errors 0
>>>
>>>      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
>>>      plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb 
>>> GigabitEthernet0/0/1
>>>      current outbound spi: 0x2CA0EB8F(748743567)
>>>      PFS (Y/N): N, DH group: none
>>>
>>>      inbound esp sas:
>>>       spi: 0xC2B47C97(3266608279)
>>>         transform: esp-3des esp-sha256-hmac ,
>>>         in use settings ={Tunnel, }
>>>         conn id: 2001, flow_id: ESG:1, sibling_flags 
>>> FFFFFFFF80000048, crypto map: MapName
>>>         sa timing: remaining key lifetime (k/sec): (4607846/2940)
>>>         IV size: 8 bytes
>>>         replay detection support: Y  replay window size: 128
>>>         Status: ACTIVE(ACTIVE)
>>>
>>>      inbound ah sas:
>>>
>>>      inbound pcp sas:
>>>
>>>      outbound esp sas:
>>>       spi: 0x2CA0EB8F(748743567)
>>>         transform: esp-3des esp-sha256-hmac ,
>>>         in use settings ={Tunnel, }
>>>         conn id: 2002, flow_id: ESG:2, sibling_flags 
>>> FFFFFFFF80000048, crypto map: MapName
>>>         sa timing: remaining key lifetime (k/sec): (4607966/2940)
>>>         IV size: 8 bytes
>>>         replay detection support: Y  replay window size: 128
>>>         Status: ACTIVE(ACTIVE)
>>>
>>>      outbound ah sas:
>>>
>>>      outbound pcp sas:
>>>
>> I'm pretty sure I got the proper ike parameter: 
>> ike=3des-sha2_256-modp1024
>>
>> After setting this one, I get some more logs from Strongswan:
>>
>> Jan  5 12:55:05 vpn ipsec[765]: 13[IKE] <tunnel-name|96> initiating 
>> Main Mode IKE_SA tunnel-name[96] to 2.2.2.2
>> Jan  5 12:55:05 vpn ipsec[765]: 13[ENC] <tunnel-name|96> generating 
>> ID_PROT request 0 [ SA V V V V V ]
>> Jan  5 12:55:05 vpn ipsec[765]: 13[NET] <tunnel-name|96> sending 
>> packet: from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
>> Jan  5 12:55:05 vpn ipsec[765]: 12[NET] <tunnel-name|96> received 
>> packet: from 2.2.2.2[500] to 1.1.1.1[500] (96 bytes)
>> Jan  5 12:55:05 vpn ipsec[765]: 12[ENC] <tunnel-name|96> parsed 
>> INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
>> Jan  5 12:55:05 vpn ipsec[765]: 12[IKE] <tunnel-name|96> received 
>> NO_PROPOSAL_CHOSEN error notify
>> Jan  5 12:55:09 vpn ipsec[765]: 16[IKE] <tunnel-name|98> initiating 
>> Main Mode IKE_SA tunnel-name[98] to 2.2.2.2
>> Jan  5 12:55:09 vpn ipsec[765]: 16[ENC] <tunnel-name|98> generating 
>> ID_PROT request 0 [ SA V V V V V ]
>> Jan  5 12:55:09 vpn ipsec[765]: 16[NET] <tunnel-name|98> sending 
>> packet: from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
>>
>> Can you confirm these logs mean ike setting is correct ? Any idea 
>> regarding esp ? No luck yet...
>>

More information about the Users mailing list