12-03-2020 04:23 AM
I need an IKEv2 connection in transport mode between Strongswan and Cisco C819. Cisco is a responder and has a public IP. A device with Strongswan is an initiator and has a non-public IP (it is behind NAT). I got a TS_UNACCEPTABLE error. I think the reason is that remote = 176.102.144.34 and remote_proxy = 192.168.7.232 do not match. But I don't know the cause.
IKEv1 works. In this case, remote and remote_proxy match.
Cisco config:
crypto ikev2 proposal ike_v2_proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy ike_v2_policy
proposal ike_v2_proposal
!
!
crypto ikev2 profile ike_v2_profile
match certificate ike_v2_certmap
identity local fqdn server.cisco
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint server.cisco
!
crypto ipsec transform-set gcm esp-gcm 256
mode transport
!
crypto ipsec profile ikev2
set transform-set gcm
set ikev2-profile ike_v2_profile
!
!
interface Tunnel11
ip address 192.168.234.1 255.255.255.0
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 1234
no ip nhrp record
no ip nhrp cache non-authoritative
ip ospf 1 area 0
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile ikev2
!
interface GigabitEthernet0
ip address 85.xx.xx.xx 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
Cisco log:
*Dec 3 06:47:04.427: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED
*Dec 3 06:47:04.427: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 3 06:47:04.427: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 3 06:47:04.427: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 20 hmac 0 flags 16370 keysize 256 IDB 0x0
*Dec 3 06:47:04.427: IPSEC(validate_proposal_request): proposal part #1
*Dec 3 06:47:04.427: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 85.xx.xx.xx:0, remote= 176.102.144.34:0,
local_proxy= 85.xx.xx.xx/255.255.255.255/47/0,
remote_proxy= 192.168.7.232/255.255.255.255/47/0,
protocol= ESP, transform= esp-gmac 256 (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 3 06:47:04.431: map_db_find_best did not find matching map
*Dec 3 06:47:04.431: IPSEC(ipsec_process_proposal): proxy identities not supported
*Dec 3 06:47:04.431: IKEv2:(SA ID = 1):There was no IPSEC policy found for received TS
*Dec 3 06:47:04.431: IKEv2:(SA ID = 1):
*Dec 3 06:47:04.431: IKEv2:(SA ID = 1):Sending TS unacceptable notifyStrongswan:
...
2020-12-03 09:01:20 charon: 07[IKE] authentication of 'server.cisco' with RSA signature successful
2020-12-03 09:01:20 charon: 07[IKE] IKE_SA ipsec1[1] established between 192.168.7.232[client@router]...85.xx.xx.xx[server.cisco]
2020-12-03 09:01:20 charon: 07[IKE] scheduling reauthentication in 2710s
2020-12-03 09:01:20 charon: 07[IKE] maximum IKE_SA lifetime 3250s
2020-12-03 09:01:20 charon: 07[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
2020-12-03 09:01:20 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA Connections:
ipsec1: IKEv2, reauthentication every 3060s, no rekeying
local: 0.0.0.0
remote: 85.xx.xx.xx
local public key authentication:
id: client@router
certs: C=CZ, ST=Czechia, O=Advantech, OU=Advantech CZ, CN=client@router
remote public key authentication:
id: server.cisco
certs: C=CZ, ST=Czechia, O=Advantech, OU=Advantech CZ, CN=server@cisco
ipsec1: TRANSPORT, rekeying every 3060s
local: dynamic[gre]
remote: dynamic[gre]
Security Associations:
ipsec1: #1, ESTABLISHED, IKEv2, cf73d614a1f87d19_i* 57d19a5c22eb571b_r
local 'client@router' @ 192.168.7.232[4500]
remote 'server.cisco' @ 85.xx.xx.xx[4500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 8s ago, reauth in 2702s
12-03-2020 05:44 AM
Hello,
what if you add the line marked in bold:
crypto ikev2 profile ike_v2_profile
match certificate ike_v2_certmap
--> match identity remote address 0.0.0.0
identity local fqdn server.cisco
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint server.cisco
12-03-2020 07:43 AM - edited 12-03-2020 07:43 AM
Hello,
unfortunately, still the same. The error remains.
! crypto ikev2 profile ike_v2_profile match identity remote address 0.0.0.0 match certificate ike_v2_certmap identity local fqdn server.cisco authentication remote rsa-sig authentication local rsa-sig pki trustpoint server.cisco !
12-03-2020 05:47 AM
can I see config of strongswan?
12-03-2020 08:19 AM
Strongswan configuration is done via swanctl.conf
ipsec2 {
local_addrs = 0.0.0.0
remote_addrs = 85.xx.xx.xx
local {
id = client@router
auth = rsa
certs = local-cert2.pem
}
remote {
id = server.cisco
auth = rsa
certs = remote-cert2.pem
}
children {
ipsec2 {
mode = transport
local_ts = dynamic[47]
remote_ts = dynamic[47]
updown = /etc/scripts/updown
life_time = 3600
rekey_time = 3060
rand_time = 540
esp_proposals = aes256gcm128
start_action = start
}
}
unique = replace
version = 2
reauth_time = 3060
rekey_time = 0
over_time = 540
rand_time = 540
keyingtries = 0
send_cert = always
send_certreq = yes
proposals = aes256-sha2_256-modp2048
}
09-20-2021 07:47 AM
Hi,
news?. i have the same problem
09-20-2021 10:57 AM
Hello,
you have a Cisco VPN to a Strongswan ? Can you post your configs of both ? Or are they identical to what is in the original post ?
09-21-2021 12:25 AM
Hello Georg,
I have Cisco VPN. But i have the same error "received TS_UNACCEPTABLE notify, no CHILD_SA built ". The conf is a littet diferent ( my connection is with PSK ). I am not sure if is my conf cisco o Strongswan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide