11-26-2019 12:11 PM - edited 11-26-2019 11:38 PM
Hello,
Cisco:
crypto ikev2 proposal IKEv2_PROPOSAL_STRONGSWAN encryption aes-cbc-256 aes-cbc-128 aes-cbc-192 integrity sha1 group 2
crypto ikev2 policy IKEv2_POLICY_STRONGSWAN proposal IKEv2_PROPOSAL_STRONGSWAN crypto ikev2 keyring IKEv2_KEYRING_STRONGSWAN peer dcvpnl002prpny2 address 185.167.55.208 pre-shared-key local pass pre-shared-key remote pass crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN match identity remote address 185.167.55.208 255.255.255.255 identity local address 37.157.77.10 authentication remote pre-share authentication local pre-share keyring local IKEv2_KEYRING_STRONGSWAN crypto ipsec transform-set NY2_STRONGSWAN_TRANSFORM_SET esp-gcm mode tunnel crypto ipsec profile NY2_STRONGSWAN_PROFILE set transform-set NY2_STRONGSWAN_TRANSFORM_SET set pfs group2
set ikev2-profile IKEv2_PROFILE_STRONGSWAN
Strongswan side:
conn net-ntg auto=start type=tunnel ike=aes-sha1-modp1024 esp=aes128gcm16-modp1024 left=185.167.55.208 leftid=185.167.55.208 leftfirewall=no right=37.157.77.10 rightid=37.157.77.10 rightfirewall=no keyexchange=ikev2 authby=psk
Im getting an error:
strongswan up net-ntg parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'net-ntg' failed
but after few seconds, cisco side starts to initiate the session and it goes UP.
net-ntg[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 net-ntg{5}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cca62d6e_i 591dcbd5_o net-ntg{5}: AES_GCM_16_128/MODP_1024, 12341 bytes_i (167 pkts, 1s ago), 12457 bytes_o (170 pkts, 269s ago), rekeying in 33 minutes
The strange thing is, that it seems its OK when cisco starts to initiate. But when strongswan initites the NO_PROPOSAL_CHOSEN errors comes.
Any suggestions ?
Thanks
11-26-2019 12:16 PM
11-26-2019 12:33 PM
Thanks for fast reply, tried to remove from cisco. AFter that tried to restart IPSEC session.
Got the same result..
11-26-2019 12:44 PM - edited 11-26-2019 12:44 PM
Please can you provide the output of the ikev2 debugs of the cisco router when Strongwan initiates the VPN and it fails.
11-26-2019 12:51 PM
please check this link:
i dont understand why im getting so much:
"profile did not match," messages. Seems like Cisco dont understand proposals which strongswan are sending..
11-26-2019 12:57 PM
Unless it was a copy and paste error, you aren't referencing the IKEv2 Profile under the IPSec Profile
crypto ipsec profile NY2_STRONGSWAN_PROFILE
crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN
HTH
11-26-2019 11:47 PM
nice catch, it was a copy paste error, i edited the original post accordingly.
the same issue persists..
prod [root@dcvpnl002prpny2 ~]# strongswan up net-ntg initiating IKE_SA net-ntg[23] to 37.157.77.10 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] sending packet: from 185.167.55.208[500] to 37.157.77.10[500] (1172 bytes) received packet: from 37.157.77.10[500] to 185.167.55.208[500] (390 bytes) parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ] received Cisco Delete Reason vendor ID received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32 received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45 received Cisco FlexVPN Supported vendor ID selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 authentication of '185.167.55.208' (myself) with pre-shared key establishing CHILD_SA net-ntg{1039} generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] sending packet: from 185.167.55.208[4500] to 37.157.77.10[4500] (428 bytes) received packet: from 37.157.77.10[4500] to 185.167.55.208[4500] (140 bytes) parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ] authentication of '37.157.77.10' with pre-shared key successful IKE_SA net-ntg[23] established between 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10] scheduling reauthentication in 9737s maximum IKE_SA lifetime 10277s received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built failed to establish CHILD_SA, keeping IKE_SA establishing connection 'net-ntg' failed
even though it starts to work, when cisco initiates the connection:
prod [root@dcvpnl002prpny2 ~]# strongswan statusall net-ntg Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.4.3.el7.x86_64, x86_64): uptime: 11 hours, since Nov 26 21:29:56 2019 malloc: sbrk 2813952, mmap 0, used 714704, free 2099248 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 16 loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters Listening IP addresses: 185.167.164.251 10.254.33.13 10.254.33.11 185.167.164.249 10.130.11.249 10.130.11.245 10.130.11.253 10.130.11.241 Connections: net-ntg: 185.167.55.208...37.157.77.10 IKEv2 net-ntg: local: [185.167.55.208] uses pre-shared key authentication net-ntg: remote: [37.157.77.10] uses pre-shared key authentication net-ntg: child: dynamic === dynamic TUNNEL Security Associations (4 up, 0 connecting): net-ntg[25]: ESTABLISHED 78 seconds ago, 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10] net-ntg[25]: IKEv2 SPIs: d5ed3276ae8ad2e7_i f1f28c7369b1fce1_r*, pre-shared key reauthentication in 2 hours net-ntg[25]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 net-ntg{1041}: INSTALLED, TUNNEL, reqid 15, ESP SPIs: c816b874_i c8736bbc_o net-ntg{1041}: AES_GCM_16_128, 1894 bytes_i (18 pkts, 1s ago), 1396 bytes_o (18 pkts, 67s ago), rekeying in 44 minutes net-ntg{1041}: 185.167.55.208/32[gre] === 37.157.77.10/32[gre]
11-27-2019 10:39 AM
11-29-2019 08:12 AM
Thank you for help.
I will update you next week, because now we've having black friday freeze
Thanks !!
07-28-2021 05:58 AM
Hi All
This reported issue is quite old and this is just in case, the reported issues are still being observed with similar ipsec peers
I think that the issue of tunnel not getting established when Strongswan-Peer is initiating the ike/ipsec tunnel (but works when Cisco initiates it) is mostly happening becos of the following reason(s):
1. On the Strongswan Peer
a) Check whether you have enabled "forceencaps=yes", if yes, then please disable it by deleting the option altogether
- i see that when initiated from Strongswan the IKE negotiation is switching to using port 4500, eventhough there is NO nat-router in between the Strongswan and Cisco Peers
- When Cisco initiates the ipsec tunnel, there is no NAT detected and therefore there is no NAT-T (udp-4500) applied.
- So Since IKEv2 has built-in support for NAT-T included, the use of udp-4500/NAT-T will get trigerred automatically ONLY IF THERE IS REALLY A NAT-ROUTER IN-BETWEEN. So in this case there must be the explicit use of the option "forceencaps=yes" that must be resulting in the switch-over to udp-4500 when strongswan initiates the tunnel
- so just delete this option on strongswan peer
b) apply the algorithm proposals as below (include the exclamation mark)
----------------------------
ike=aes-sha1-modp1024!
esp=aes128gcm16-modp1024!
-----------------------------
c) Since this tunnel is a GRE-with-IPsec tunnel, add the below mentioned config to existing config on the strongswan peer:
-------------------------------
leftsubnet=185.167.55.208[gre]
rightsubnet=37.157.77.10[gre]
---------------------------
try out the above additions/changes to the Strongswan config, and hopefully this time it should work
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: