[strongSwan] Matching Cisco "esp-3des esp-sha256-hmac" to strongswan config
Rajiv Kulkarni
rajivkulkarni69 at gmail.com
Mon Jan 17 13:01:42 CET 2022
Hi
It seems the IKE-proposal (3des-sha256-modp1024) that you are sending from
the Strongswan (1.1.1.1) to the remote peer (2.2.2.2) DOES NOT MATCH WHAT
IS CONFIGURED ON THE 2.2.2.2/PEER
So confirm that the ike proposal sent by Strongswan (as initiator of the
tunnel) is matched by the same algorithm-combination configuration on the
Peer/2,2,2,2....else it will obviously be a no proposal chosen
Alternatively you could also try configuring on the
strongswan-peer(1.1.1.1) as below without the exclamation-mark in
IKE-proposal (this will result in strongswan adding its own pre-defined set
of proposals to the configured proposal of 3des-sha256-modp1024)...and see
what's happening now
Note: Keep the exclamation mark for esp as it is....
ike=3des-sha256-modp1024
esp=3des-sha256!
best regards
Rajiv
On Wed, Jan 12, 2022 at 3:18 PM Adam Cécile <acecile at le-vert.net> wrote:
> Hello,
>
> Thanks for the reply, sadly this is not working :/
>
> parsed INFORMATIONAL_V1 request 0 [ N(NO_PROP)
>
> Regards, Adam.
>
> On 1/5/22 8:15 PM, Noel Kuntze wrote:
> > Hello Adam,
> >
> > I propose the following config:
> >
> > ike=3des-sha2_256-modp1024!
> > esp=3des-sha2_256!
> >
> > No DH group in ESP because ...
> >
> > local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
> > plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb
> > GigabitEthernet0/0/1
> > current outbound spi: 0x2CA0EB8F(748743567)
> > PFS (Y/N): N, DH group: none
> >
> >
> > The IKE and ESP proposals are probably nearly identical as I assumed
> > when writing the ones above.
> > But to be sure you'd need to check these things.
> >
> > Kind regards
> > Noel
> >
> >
> > Am 05.01.22 um 13:57 schrieb Adam Cécile:
> >> On 1/5/22 1:21 PM, Adam Cécile wrote:
> >>> On 1/5/22 11:12 AM, Adam Cécile wrote:
> >>>> Hello,
> >>>>
> >>>>
> >>>> I'm replacing a Cisco endpoint with Strongswan sadly all I tried
> >>>> ended up in NO_PROPOSAL_CHOSEN...
> >>>>
> >>>> The relevant Cisco bits (which is connecting with peer just fine)
> >>>> is: crypto ipsec transform-set TunnelName esp-3des esp-sha256-hmac
> >>>>
> >>>>
> >>>> Can someone help me converting this into Strongswan ike/esp config
> >>>> options (and I also would be very interested in understanding how
> >>>> to do such conversion...)
> >>>>
> >>>>
> >>>> Thanks in advance,
> >>>>
> >>>> Best regards, Adam.
> >>>>
> >>> Here is the detail of the connection being established on the Cisco
> >>> which is aimed to be replaced:
> >>>
> >>> interface: GigabitEthernet0/0/1
> >>> Crypto map tag: MapName, local addr 1.1.1.1
> >>>
> >>> protected vrf: (none)
> >>> local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
> >>> remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
> >>> current_peer 2.2.2.2 port 500
> >>> PERMIT, flags={origin_is_acl,}
> >>> #pkts encaps: 247, #pkts encrypt: 247, #pkts digest: 247
> >>> #pkts decaps: 276, #pkts decrypt: 276, #pkts verify: 276
> >>> #pkts compressed: 0, #pkts decompressed: 0
> >>> #pkts not compressed: 0, #pkts compr. failed: 0
> >>> #pkts not decompressed: 0, #pkts decompress failed: 0
> >>> #send errors 0, #recv errors 0
> >>>
> >>> local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
> >>> plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb
> >>> GigabitEthernet0/0/1
> >>> current outbound spi: 0x2CA0EB8F(748743567)
> >>> PFS (Y/N): N, DH group: none
> >>>
> >>> inbound esp sas:
> >>> spi: 0xC2B47C97(3266608279)
> >>> transform: esp-3des esp-sha256-hmac ,
> >>> in use settings ={Tunnel, }
> >>> conn id: 2001, flow_id: ESG:1, sibling_flags
> >>> FFFFFFFF80000048, crypto map: MapName
> >>> sa timing: remaining key lifetime (k/sec): (4607846/2940)
> >>> IV size: 8 bytes
> >>> replay detection support: Y replay window size: 128
> >>> Status: ACTIVE(ACTIVE)
> >>>
> >>> inbound ah sas:
> >>>
> >>> inbound pcp sas:
> >>>
> >>> outbound esp sas:
> >>> spi: 0x2CA0EB8F(748743567)
> >>> transform: esp-3des esp-sha256-hmac ,
> >>> in use settings ={Tunnel, }
> >>> conn id: 2002, flow_id: ESG:2, sibling_flags
> >>> FFFFFFFF80000048, crypto map: MapName
> >>> sa timing: remaining key lifetime (k/sec): (4607966/2940)
> >>> IV size: 8 bytes
> >>> replay detection support: Y replay window size: 128
> >>> Status: ACTIVE(ACTIVE)
> >>>
> >>> outbound ah sas:
> >>>
> >>> outbound pcp sas:
> >>>
> >> I'm pretty sure I got the proper ike parameter:
> >> ike=3des-sha2_256-modp1024
> >>
> >> After setting this one, I get some more logs from Strongswan:
> >>
> >> Jan 5 12:55:05 vpn ipsec[765]: 13[IKE] <tunnel-name|96> initiating
> >> Main Mode IKE_SA tunnel-name[96] to 2.2.2.2
> >> Jan 5 12:55:05 vpn ipsec[765]: 13[ENC] <tunnel-name|96> generating
> >> ID_PROT request 0 [ SA V V V V V ]
> >> Jan 5 12:55:05 vpn ipsec[765]: 13[NET] <tunnel-name|96> sending
> >> packet: from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
> >> Jan 5 12:55:05 vpn ipsec[765]: 12[NET] <tunnel-name|96> received
> >> packet: from 2.2.2.2[500] to 1.1.1.1[500] (96 bytes)
> >> Jan 5 12:55:05 vpn ipsec[765]: 12[ENC] <tunnel-name|96> parsed
> >> INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
> >> Jan 5 12:55:05 vpn ipsec[765]: 12[IKE] <tunnel-name|96> received
> >> NO_PROPOSAL_CHOSEN error notify
> >> Jan 5 12:55:09 vpn ipsec[765]: 16[IKE] <tunnel-name|98> initiating
> >> Main Mode IKE_SA tunnel-name[98] to 2.2.2.2
> >> Jan 5 12:55:09 vpn ipsec[765]: 16[ENC] <tunnel-name|98> generating
> >> ID_PROT request 0 [ SA V V V V V ]
> >> Jan 5 12:55:09 vpn ipsec[765]: 16[NET] <tunnel-name|98> sending
> >> packet: from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
> >>
> >> Can you confirm these logs mean ike setting is correct ? Any idea
> >> regarding esp ? No luck yet...
> >>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220117/fccf1e5b/attachment-0001.html>
More information about the Users
mailing list