cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

298
Views
10
Helpful
8
Replies
Participant

IKEv2 with AES-GCM between Cisco and Strongswan

Hello,

Cisco:

crypto ikev2 proposal IKEv2_PROPOSAL_STRONGSWAN 
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha1
group 2



crypto ikev2 policy IKEv2_POLICY_STRONGSWAN 
proposal IKEv2_PROPOSAL_STRONGSWAN

crypto ikev2 keyring IKEv2_KEYRING_STRONGSWAN
peer dcvpnl002prpny2
address 185.167.55.208
pre-shared-key local pass
pre-shared-key remote pass

crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN
match identity remote address 185.167.55.208 255.255.255.255 
identity local address 37.157.77.10
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING_STRONGSWAN


crypto ipsec transform-set NY2_STRONGSWAN_TRANSFORM_SET esp-gcm 
mode tunnel


crypto ipsec profile NY2_STRONGSWAN_PROFILE
set transform-set NY2_STRONGSWAN_TRANSFORM_SET 
set pfs group2
set ikev2-profile IKEv2_PROFILE_STRONGSWAN



Strongswan side:

conn net-ntg
auto=start
type=tunnel
ike=aes-sha1-modp1024
esp=aes128gcm16-modp1024
left=185.167.55.208
leftid=185.167.55.208
leftfirewall=no
right=37.157.77.10
rightid=37.157.77.10
rightfirewall=no
keyexchange=ikev2
authby=psk


Im getting an error:

strongswan up net-ntg
parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed


but after few seconds, cisco side starts to initiate the session and it goes UP.

 

net-ntg[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{5}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cca62d6e_i 591dcbd5_o
net-ntg{5}: AES_GCM_16_128/MODP_1024, 12341 bytes_i (167 pkts, 1s ago), 12457 bytes_o (170 pkts, 269s ago), rekeying in 33 minutes


The strange thing is, that it seems its OK when cisco starts to initiate. But when strongswan initites the NO_PROPOSAL_CHOSEN errors comes.

Any suggestions ?

Thanks

 

 

 

8 REPLIES 8
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Hi,
I don't see PFS group 2 defined in the strongswan configuration. Add to the strongswan configuration or remove from the Cisco configuration and try again.

HTH
Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Thanks for fast reply, tried to remove from cisco. AFter that tried to restart IPSEC session.

 

Got the same result..

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Please can you provide the output of the ikev2 debugs of the cisco router when Strongwan initiates the VPN and it fails.

Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

please check this link:

 

https://pastebin.com/5eYrVBZc

 

i dont understand why im getting so much: 

"profile did not match," messages. Seems like Cisco dont understand proposals which strongswan are sending..

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Unless it was a copy and paste error, you aren't referencing the IKEv2 Profile under the IPSec Profile


crypto ipsec profile NY2_STRONGSWAN_PROFILE
 crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN

 

HTH

Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

nice catch, it was a copy paste error, i edited the original post accordingly.

the same issue persists..

prod [root@dcvpnl002prpny2 ~]# strongswan up net-ntg
initiating IKE_SA net-ntg[23] to 37.157.77.10
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 185.167.55.208[500] to 37.157.77.10[500] (1172 bytes)
received packet: from 37.157.77.10[500] to 185.167.55.208[500] (390 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
received Cisco FlexVPN Supported vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
authentication of '185.167.55.208' (myself) with pre-shared key
establishing CHILD_SA net-ntg{1039}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 185.167.55.208[4500] to 37.157.77.10[4500] (428 bytes)
received packet: from 37.157.77.10[4500] to 185.167.55.208[4500] (140 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '37.157.77.10' with pre-shared key successful
IKE_SA net-ntg[23] established between 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
scheduling reauthentication in 9737s
maximum IKE_SA lifetime 10277s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed

 

even though it starts to work, when cisco initiates the connection:

 

prod [root@dcvpnl002prpny2 ~]# strongswan statusall net-ntg
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.4.3.el7.x86_64, x86_64):
uptime: 11 hours, since Nov 26 21:29:56 2019
malloc: sbrk 2813952, mmap 0, used 714704, free 2099248
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 16
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
185.167.164.251
10.254.33.13
10.254.33.11
185.167.164.249
10.130.11.249
10.130.11.245
10.130.11.253
10.130.11.241
Connections:
net-ntg: 185.167.55.208...37.157.77.10 IKEv2
net-ntg: local: [185.167.55.208] uses pre-shared key authentication
net-ntg: remote: [37.157.77.10] uses pre-shared key authentication
net-ntg: child: dynamic === dynamic TUNNEL
Security Associations (4 up, 0 connecting):
net-ntg[25]: ESTABLISHED 78 seconds ago, 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
net-ntg[25]: IKEv2 SPIs: d5ed3276ae8ad2e7_i f1f28c7369b1fce1_r*, pre-shared key reauthentication in 2 hours
net-ntg[25]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{1041}: INSTALLED, TUNNEL, reqid 15, ESP SPIs: c816b874_i c8736bbc_o
net-ntg{1041}: AES_GCM_16_128, 1894 bytes_i (18 pkts, 1s ago), 1396 bytes_o (18 pkts, 67s ago), rekeying in 44 minutes
net-ntg{1041}: 185.167.55.208/32[gre] === 37.157.77.10/32[gre]

 

 

 

Highlighted
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Can you provide the output of "show crypto ikev2 sa detail" and "show interface <tunnel interface number>" when the tunnel is working. Can you also provide the configuration of the tunnel interfaces from both the cisco and strongswan devices.
Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Thank you for help.

 

I will update you next week, because now we've having black friday freeze

 

Thanks !!

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here