cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4776
Views
10
Helpful
9
Replies

IKEv2 with AES-GCM between Cisco and Strongswan

from88
Level 4
Level 4

Hello,

Cisco:

crypto ikev2 proposal IKEv2_PROPOSAL_STRONGSWAN 
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha1
group 2



crypto ikev2 policy IKEv2_POLICY_STRONGSWAN 
proposal IKEv2_PROPOSAL_STRONGSWAN

crypto ikev2 keyring IKEv2_KEYRING_STRONGSWAN
peer dcvpnl002prpny2
address 185.167.55.208
pre-shared-key local pass
pre-shared-key remote pass

crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN
match identity remote address 185.167.55.208 255.255.255.255 
identity local address 37.157.77.10
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING_STRONGSWAN


crypto ipsec transform-set NY2_STRONGSWAN_TRANSFORM_SET esp-gcm 
mode tunnel


crypto ipsec profile NY2_STRONGSWAN_PROFILE
set transform-set NY2_STRONGSWAN_TRANSFORM_SET 
set pfs group2
set ikev2-profile IKEv2_PROFILE_STRONGSWAN



Strongswan side:

conn net-ntg
auto=start
type=tunnel
ike=aes-sha1-modp1024
esp=aes128gcm16-modp1024
left=185.167.55.208
leftid=185.167.55.208
leftfirewall=no
right=37.157.77.10
rightid=37.157.77.10
rightfirewall=no
keyexchange=ikev2
authby=psk


Im getting an error:

strongswan up net-ntg
parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed


but after few seconds, cisco side starts to initiate the session and it goes UP.

 

net-ntg[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{5}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cca62d6e_i 591dcbd5_o
net-ntg{5}: AES_GCM_16_128/MODP_1024, 12341 bytes_i (167 pkts, 1s ago), 12457 bytes_o (170 pkts, 269s ago), rekeying in 33 minutes


The strange thing is, that it seems its OK when cisco starts to initiate. But when strongswan initites the NO_PROPOSAL_CHOSEN errors comes.

Any suggestions ?

Thanks

 

 

 

9 Replies 9

Hi,
I don't see PFS group 2 defined in the strongswan configuration. Add to the strongswan configuration or remove from the Cisco configuration and try again.

HTH

Thanks for fast reply, tried to remove from cisco. AFter that tried to restart IPSEC session.

 

Got the same result..

Please can you provide the output of the ikev2 debugs of the cisco router when Strongwan initiates the VPN and it fails.

please check this link:

 

https://pastebin.com/5eYrVBZc

 

i dont understand why im getting so much: 

"profile did not match," messages. Seems like Cisco dont understand proposals which strongswan are sending..

Unless it was a copy and paste error, you aren't referencing the IKEv2 Profile under the IPSec Profile


crypto ipsec profile NY2_STRONGSWAN_PROFILE
 crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN

 

HTH

nice catch, it was a copy paste error, i edited the original post accordingly.

the same issue persists..

prod [root@dcvpnl002prpny2 ~]# strongswan up net-ntg
initiating IKE_SA net-ntg[23] to 37.157.77.10
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 185.167.55.208[500] to 37.157.77.10[500] (1172 bytes)
received packet: from 37.157.77.10[500] to 185.167.55.208[500] (390 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
received Cisco FlexVPN Supported vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
authentication of '185.167.55.208' (myself) with pre-shared key
establishing CHILD_SA net-ntg{1039}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 185.167.55.208[4500] to 37.157.77.10[4500] (428 bytes)
received packet: from 37.157.77.10[4500] to 185.167.55.208[4500] (140 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '37.157.77.10' with pre-shared key successful
IKE_SA net-ntg[23] established between 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
scheduling reauthentication in 9737s
maximum IKE_SA lifetime 10277s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed

 

even though it starts to work, when cisco initiates the connection:

 

prod [root@dcvpnl002prpny2 ~]# strongswan statusall net-ntg
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.4.3.el7.x86_64, x86_64):
uptime: 11 hours, since Nov 26 21:29:56 2019
malloc: sbrk 2813952, mmap 0, used 714704, free 2099248
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 16
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
185.167.164.251
10.254.33.13
10.254.33.11
185.167.164.249
10.130.11.249
10.130.11.245
10.130.11.253
10.130.11.241
Connections:
net-ntg: 185.167.55.208...37.157.77.10 IKEv2
net-ntg: local: [185.167.55.208] uses pre-shared key authentication
net-ntg: remote: [37.157.77.10] uses pre-shared key authentication
net-ntg: child: dynamic === dynamic TUNNEL
Security Associations (4 up, 0 connecting):
net-ntg[25]: ESTABLISHED 78 seconds ago, 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
net-ntg[25]: IKEv2 SPIs: d5ed3276ae8ad2e7_i f1f28c7369b1fce1_r*, pre-shared key reauthentication in 2 hours
net-ntg[25]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{1041}: INSTALLED, TUNNEL, reqid 15, ESP SPIs: c816b874_i c8736bbc_o
net-ntg{1041}: AES_GCM_16_128, 1894 bytes_i (18 pkts, 1s ago), 1396 bytes_o (18 pkts, 67s ago), rekeying in 44 minutes
net-ntg{1041}: 185.167.55.208/32[gre] === 37.157.77.10/32[gre]

 

 

 

Can you provide the output of "show crypto ikev2 sa detail" and "show interface <tunnel interface number>" when the tunnel is working. Can you also provide the configuration of the tunnel interfaces from both the cisco and strongswan devices.

Thank you for help.

 

I will update you next week, because now we've having black friday freeze

 

Thanks !!

nagrajk1969
Spotlight
Spotlight

 

Hi All

This reported issue is quite old and this is just in case, the reported issues are still being observed with similar ipsec peers

 

I think that the issue of tunnel not getting established when Strongswan-Peer is initiating the ike/ipsec tunnel (but works when Cisco initiates it) is mostly happening becos of the following reason(s):

 

1. On the Strongswan Peer

a) Check whether you have enabled "forceencaps=yes", if yes, then please disable it by deleting the option altogether

- i see that when initiated from Strongswan the IKE negotiation is switching to using port 4500, eventhough there is NO nat-router in between the Strongswan and Cisco Peers

- When Cisco initiates the ipsec tunnel, there is no NAT detected and therefore there is no NAT-T (udp-4500) applied. 

- So Since IKEv2 has built-in support for NAT-T included, the use of udp-4500/NAT-T will get trigerred automatically ONLY IF THERE IS REALLY A NAT-ROUTER IN-BETWEEN. So in this case there must be the explicit use of the option "forceencaps=yes" that must be resulting in the switch-over to udp-4500 when strongswan initiates the tunnel

- so just delete this option on strongswan peer

 

b) apply the algorithm proposals as below (include the exclamation mark)

----------------------------

ike=aes-sha1-modp1024!
esp=aes128gcm16-modp1024!

-----------------------------

c) Since this tunnel is a GRE-with-IPsec tunnel, add the below mentioned config to existing config on the strongswan peer:

-------------------------------

leftsubnet=185.167.55.208[gre]
rightsubnet=37.157.77.10[gre]
---------------------------

 

try out the above additions/changes to the Strongswan config, and hopefully this time it should work

 

thanks

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: