I need an IKEv2 connection in transport mode between Strongswan and Cisco C819. Cisco is a responder and has a public IP. A device with Strongswan is an initiator and has a non-public IP (it is behind NAT). I got a TS_UNACCEPTABLE error. I think the reason is that remote = 176.102.144.34 and remote_proxy = 192.168.7.232 do not match. But I don't know the cause.
IKEv1 works. In this case, remote and remote_proxy match.
Cisco config:
crypto ikev2 proposal ike_v2_proposal
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy ike_v2_policy
proposal ike_v2_proposal
!
!
crypto ikev2 profile ike_v2_profile
match certificate ike_v2_certmap
identity local fqdn server.cisco
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint server.cisco
!
crypto ipsec transform-set gcm esp-gcm 256
mode transport
!
crypto ipsec profile ikev2
set transform-set gcm
set ikev2-profile ike_v2_profile
!
!
interface Tunnel11
ip address 192.168.234.1 255.255.255.0
no ip redirects
ip nhrp authentication 1234
ip nhrp map multicast dynamic
ip nhrp network-id 1234
no ip nhrp record
no ip nhrp cache non-authoritative
ip ospf 1 area 0
tunnel source GigabitEthernet0
tunnel mode gre multipoint
tunnel key 1234
tunnel protection ipsec profile ikev2
!
interface GigabitEthernet0
ip address 85.xx.xx.xx 255.255.255.240
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no keepalive
Cisco log:
*Dec 3 06:47:04.427: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED
*Dec 3 06:47:04.427: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 3 06:47:04.427: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 3 06:47:04.427: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 20 hmac 0 flags 16370 keysize 256 IDB 0x0
*Dec 3 06:47:04.427: IPSEC(validate_proposal_request): proposal part #1
*Dec 3 06:47:04.427: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 85.xx.xx.xx:0, remote= 176.102.144.34:0,
local_proxy= 85.xx.xx.xx/255.255.255.255/47/0,
remote_proxy= 192.168.7.232/255.255.255.255/47/0,
protocol= ESP, transform= esp-gmac 256 (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 3 06:47:04.431: map_db_find_best did not find matching map
*Dec 3 06:47:04.431: IPSEC(ipsec_process_proposal): proxy identities not supported
*Dec 3 06:47:04.431: IKEv2:(SA ID = 1):There was no IPSEC policy found for received TS
*Dec 3 06:47:04.431: IKEv2:(SA ID = 1):
*Dec 3 06:47:04.431: IKEv2:(SA ID = 1):Sending TS unacceptable notify Strongswan:
...
2020-12-03 09:01:20 charon: 07[IKE] authentication of 'server.cisco' with RSA signature successful
2020-12-03 09:01:20 charon: 07[IKE] IKE_SA ipsec1[1] established between 192.168.7.232[client@router]...85.xx.xx.xx[server.cisco]
2020-12-03 09:01:20 charon: 07[IKE] scheduling reauthentication in 2710s
2020-12-03 09:01:20 charon: 07[IKE] maximum IKE_SA lifetime 3250s
2020-12-03 09:01:20 charon: 07[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
2020-12-03 09:01:20 charon: 07[IKE] failed to establish CHILD_SA, keeping IKE_SA Connections:
ipsec1: IKEv2, reauthentication every 3060s, no rekeying
local: 0.0.0.0
remote: 85.xx.xx.xx
local public key authentication:
id: client@router
certs: C=CZ, ST=Czechia, O=Advantech, OU=Advantech CZ, CN=client@router
remote public key authentication:
id: server.cisco
certs: C=CZ, ST=Czechia, O=Advantech, OU=Advantech CZ, CN=server@cisco
ipsec1: TRANSPORT, rekeying every 3060s
local: dynamic[gre]
remote: dynamic[gre]
Security Associations:
ipsec1: #1, ESTABLISHED, IKEv2, cf73d614a1f87d19_i* 57d19a5c22eb571b_r
local 'client@router' @ 192.168.7.232[4500]
remote 'server.cisco' @ 85.xx.xx.xx[4500]
AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 8s ago, reauth in 2702s
