12-26-2018 03:34 PM - edited 02-21-2020 09:32 PM
I'm looking for help with figuring out why IPSec connection does not work. I'm trying to establish a secure GRE tunnel between CISCO router (DMVPN) and custom NHRP client + StrongSwan.
Here's my CISCO config (relevant portions anyway):
(...)crypto ikev2 proposal ikev2-proposal
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 2
!
crypto ikev2 policy IKEPOLICYLOCAL
match fvrf any
match address local 192.168.200.1
proposal ikev2-proposal
!
crypto ikev2 keyring KEYRING
peer any
address 0.0.0.0 0.0.0.0
pre-shared-key secret
!
peer 192.168.200.2
address 192.168.200.2
pre-shared-key secret
!
!
!
crypto ikev2 profile IKEPROFILE
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash sha256
authentication pre-share
group 14
crypto isakmp key secret address 0.0.0.0
!
!
crypto ipsec transform-set transform-gre esp-3des esp-sha256-hmac
mode transport
crypto ipsec transform-set transform-gre-transport esp-3des esp-sha256-hmac
mode transport
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode transport
!
crypto ipsec profile IPSECPROFILE
set transform-set TS
set ikev2-profile IKEPROFILE
!
!
crypto ipsec profile dmvpn-protect3
set transform-set transform-gre-transport
!
!
!
!
!
!
interface Tunnel0
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip ospf network broadcast
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSECPROFILE
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.200.1 255.255.255.0
duplex auto
speed auto
!
(...)
Here's StrongSwan config that is being produced (swanctl.conf):
connections {
XXX {
local_addrs = 192.168.200.2
remote_addrs = 192.168.200.1
proposals = default
local {
auth = psk
}
remote {
auth = psk
}
children {
XXX {
esp_proposals = default
#esp_proposals = aes128-sha256
rekey_time = 10m
mode = transport
}
}
}
version = 2
mobike = no
}
secrets {
ike-XXX {
secret = secret
}
}
The result of swanctl --initiate --child XXX is:
Router#
*Dec 26 22:35:07.691: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.200.1, src_addr= 192.168.200.2, prot= 47
*Dec 26 22:35:08.495: IKEv2:Received Packet [From 192.168.200.2:500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
*Dec 26 22:35:08.495: IKEv2:(SESSION ID = 9,SA ID = 1):Verify SA init message
*Dec 26 22:35:08.495: IKEv2:(SESSION ID = 9,SA ID = 1):Insert SA
*Dec 26 22:35:08.495: IKEv2:Searching Policy with fvrf 0, local address 192.168.200.1
*Dec 26 22:35:08.495: IKEv2:Using the Default Policy for Proposal
*Dec 26 22:35:08.495: IKEv2:Found Policy 'default'
*Dec 26 22:35:08.495: IKEv2:(SESSION ID = 9,SA ID = 1):Processing IKE_SA_INIT message
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):: The peer's KE payload contained the wrong DH group
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Sending invalid ke notification, peer sent group 19, local policy prefers group 2
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 192.168.200.2:500/From 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Failed SA init exchange
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Initial exchange failed: Initial exchange failed
*Dec 26 22:35:08.503: IKEv2:(SESSION ID = 9,SA ID = 1):Abort exchange
*Dec 26 22:35:08.503: IKEv2:(SESSION ID = 9,SA ID = 1):Deleting SA
*Dec 26 22:35:08.507: IKEv2:Received Packet [From 192.168.200.2:500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Verify SA init message
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Insert SA
*Dec 26 22:35:08.507: IKEv2:Searching Policy with fvrf 0, local address 192.168.200.1
*Dec 26 22:35:08.507: IKEv2:Using the Default Policy for Proposal
*Dec 26 22:35:08.507: IKEv2:Found Policy 'default'
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Processing IKE_SA_INIT message
*Dec 26 22:35:08.507: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 26 22:35:08.507: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Dec 26 22:35:08.507: IKEv2:Failed to retrieve Certificate Issuer list
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Dec 26 22:35:08.507: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Request queued for computation of DH key
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Request queued for computation of DH secret
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 26 22:35:08.535: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Generating IKE_SA_INIT message
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_1024_MODP/Group 2
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Dec 26 22:35:08.535: IKEv2:Failed to retrieve Certificate Issuer list
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Sending Packet [To 192.168.200.2:500/From 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : DF46102669005D56 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Completed SA init exchange
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Received Packet [From 192.168.200.2:4500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : DF46102669005D56 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi AUTH NOTIFY(USE_TRANSPORT_MODE) NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr NOTIFY(Unknown - 16396) NOTIFY(Unknown - 16397) NOTIFY(Unknown - 16397) NOTIFY(Unknown - 16417) NOTIFY(Unknown - 16420)
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Stopping timer to wait for auth message
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Checking NAT discovery
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):NAT detected float to init port 4500, resp port 4500
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Searching policy based on peer's identity '192.168.200.2' of type 'IPv4 address'
*Dec 26 22:35:08.543: IKEv2:found matching IKEv2 profile 'IKEPROFILE'
*Dec 26 22:35:08.543: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 26 22:35:08.543: IKEv2:% Matched peer block '192.168.200.2'
*Dec 26 22:35:08.543: IKEv2:Searching Policy with fvrf 0, local address 192.168.200.1
*Dec 26 22:35:08.543: IKEv2:Using the Default Policy for Proposal
*Dec 26 22:35:08.543: IKEv2:Found Policy 'default'
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Verify peer's policy
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Peer's policy verified
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Get peer's authentication method
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Peer's authentication method is 'PSK'
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Get peer's preshared key for 192.168.200.2
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Verify peer's authentication data
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Use preshared key for id 192.168.200.2, key len 6
*Dec 26 22:35:08.543: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 26 22:35:08.543: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 26 22:35:08.547: IKEv2:(SESSION ID = 10,SA ID = 1):Processing IKE_AUTH message
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 5 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 6 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 7 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 0 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 1 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 5 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 6 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 7 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 0 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 1 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 6 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 7 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 2 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 0 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 12 hmac 1 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 5 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 6 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 7 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 2 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 0 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 3 hmac 1 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 0 hmac 5 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 0 hmac 6 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 0 hmac 7 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 0 hmac 2 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.559: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 0 hmac 0 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.559: IKEv2:KMI/verify policy/sending to IPSec:
prot: 3 txfm: 0 hmac 1 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.563: IKEv2:(SESSION ID = 10,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-CBC-128 AES-CBC-192 AES-CBC-256 3DES BLOWFISH SHA256 SHA384 SHA512 SHA96 AES XCBC 96 MD596 Don't use ESN
*Dec 26 22:35:08.571:
*Dec 26 22:35:08.571:
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):Expected Policies: : Failed to find a matching policy
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):: Failed to find a matching policy
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):Sending no proposal chosen notify
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):Get my authentication method
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):My authentication method is 'PSK'
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Get peer's preshared key for 192.168.200.2
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Generate my authentication data
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Use preshared key for id 192.168.200.1, key len 6
*Dec 26 22:35:08.575: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 26 22:35:08.575: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Get my authentication method
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):My authentication method is 'PSK'
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Generating IKE_AUTH message
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Constructing IDr payload: '192.168.200.1' of type 'IPv4 address'
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Sending Packet [To 192.168.200.2:4500/From 192.168.200.1:4500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : DF46102669005D56 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Session with IKE ID PAIR (192.168.200.2, 192.168.200.1) is UP
*Dec 26 22:35:08.575: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):No duplicate IKEv2 SA found
*Dec 26 22:35
I simply don't get it. It appears that correct policy is already there, and that everything should work. The error message I see does not instantly point to what the problem could be. Or is it ?
I would really appreciate help with this.
12-26-2018 10:11 PM
12-27-2018 02:23 PM
12-28-2018 07:03 PM
12-29-2018 12:34 PM
I don't see any reference to GRE encapsulation in your StrongSwan configuration. Is GRE configured on the StrongSwan device?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide