Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1793
Views
0
Helpful
4
Replies

Cisco DMVPN / Custom NHRP client + StrongSwan issue

luwoj
Level 1
Level 1

‎12-26-2018 03:34 PM - edited ‎02-21-2020 09:32 PM

I'm looking for help with figuring out why IPSec connection does not work. I'm trying to establish a secure GRE tunnel between CISCO router (DMVPN) and custom NHRP client + StrongSwan.

 

Here's my CISCO config (relevant portions anyway):

 

(...)crypto ikev2 proposal ikev2-proposal
 encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
 integrity sha256 sha512
 group 14 2
!
crypto ikev2 policy IKEPOLICYLOCAL
 match fvrf any
 match address local 192.168.200.1
 proposal ikev2-proposal
!
crypto ikev2 keyring KEYRING
 peer any
  address 0.0.0.0 0.0.0.0
  pre-shared-key secret
 !
 peer 192.168.200.2
  address 192.168.200.2
  pre-shared-key secret
 !
!
!
crypto ikev2 profile IKEPROFILE
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash sha256
 authentication pre-share
 group 14
crypto isakmp key secret address 0.0.0.0
!
!
crypto ipsec transform-set transform-gre esp-3des esp-sha256-hmac
 mode transport
crypto ipsec transform-set transform-gre-transport esp-3des esp-sha256-hmac
 mode transport
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
 mode transport
!
crypto ipsec profile IPSECPROFILE
 set transform-set TS
 set ikev2-profile IKEPROFILE
!
!
crypto ipsec profile dmvpn-protect3
 set transform-set transform-gre-transport
!
!
!
!
!
!
interface Tunnel0
 ip address 10.255.255.1 255.255.255.0
 no ip redirects
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip ospf network broadcast
 tunnel source GigabitEthernet0/1
 tunnel mode gre multipoint
 tunnel protection ipsec profile IPSECPROFILE
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 ip address dhcp
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.200.1 255.255.255.0
 duplex auto
 speed auto
!
(...)

 

Here's StrongSwan config that is being produced (swanctl.conf):

 

connections {
        XXX {
                local_addrs = 192.168.200.2
                remote_addrs = 192.168.200.1
                proposals = default
                local {
                        auth = psk
                }
                remote {
                        auth = psk
                }
                children {
                        XXX {
                                esp_proposals = default
                                #esp_proposals = aes128-sha256
                                rekey_time = 10m
                                mode = transport
                        }
                }
        }
        version = 2
        mobike = no
}

secrets {
        ike-XXX {
                secret = secret
        }
}

 

The result of swanctl --initiate --child XXX is:

 

Router#
*Dec 26 22:35:07.691: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /192.168.200.1, src_addr= 192.168.200.2, prot= 47

*Dec 26 22:35:08.495: IKEv2:Received Packet [From 192.168.200.2:500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)

*Dec 26 22:35:08.495: IKEv2:(SESSION ID = 9,SA ID = 1):Verify SA init message
*Dec 26 22:35:08.495: IKEv2:(SESSION ID = 9,SA ID = 1):Insert SA
*Dec 26 22:35:08.495: IKEv2:Searching Policy with fvrf 0, local address 192.168.200.1
*Dec 26 22:35:08.495: IKEv2:Using the Default Policy for Proposal
*Dec 26 22:35:08.495: IKEv2:Found Policy 'default'
*Dec 26 22:35:08.495: IKEv2:(SESSION ID = 9,SA ID = 1):Processing IKE_SA_INIT message
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):: The peer's KE payload contained the wrong DH group
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Sending invalid ke notification, peer sent group 19, local policy prefers group 2

*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 192.168.200.2:500/From 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 NOTIFY(INVALID_KE_PAYLOAD)

*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Failed SA init exchange
*Dec 26 22:35:08.499: IKEv2:(SESSION ID = 9,SA ID = 1):Initial exchange failed: Initial exchange failed
*Dec 26 22:35:08.503: IKEv2:(SESSION ID = 9,SA ID = 1):Abort exchange
*Dec 26 22:35:08.503: IKEv2:(SESSION ID = 9,SA ID = 1):Deleting SA

*Dec 26 22:35:08.507: IKEv2:Received Packet [From 192.168.200.2:500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)

*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Verify SA init message
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Insert SA
*Dec 26 22:35:08.507: IKEv2:Searching Policy with fvrf 0, local address 192.168.200.1
*Dec 26 22:35:08.507: IKEv2:Using the Default Policy for Proposal
*Dec 26 22:35:08.507: IKEv2:Found Policy 'default'
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Processing IKE_SA_INIT message
*Dec 26 22:35:08.507: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 26 22:35:08.507: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Dec 26 22:35:08.507: IKEv2:Failed to retrieve Certificate Issuer list
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Dec 26 22:35:08.507: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):Request queued for computation of DH key
*Dec 26 22:35:08.507: IKEv2:(SESSION ID = 10,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Request queued for computation of DH secret
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 26 22:35:08.535: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Generating IKE_SA_INIT message
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1024_MODP/Group 2
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 26 22:35:08.535: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Dec 26 22:35:08.535: IKEv2:Failed to retrieve Certificate Issuer list

*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Sending Packet [To 192.168.200.2:500/From 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : DF46102669005D56 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Completed SA init exchange
*Dec 26 22:35:08.535: IKEv2:(SESSION ID = 10,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Received Packet [From 192.168.200.2:4500/To 192.168.200.1:500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : DF46102669005D56 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 IDi AUTH NOTIFY(USE_TRANSPORT_MODE) NOTIFY(ESP_TFC_NO_SUPPORT) SA TSi TSr NOTIFY(Unknown - 16396) NOTIFY(Unknown - 16397) NOTIFY(Unknown - 16397) NOTIFY(Unknown - 16417) NOTIFY(Unknown - 16420)

*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Stopping timer to wait for auth message
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Checking NAT discovery
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):NAT detected float to init port 4500, resp port 4500
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Searching policy based on peer's identity '192.168.200.2' of type 'IPv4 address'
*Dec 26 22:35:08.543: IKEv2:found matching IKEv2 profile 'IKEPROFILE'
*Dec 26 22:35:08.543: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 26 22:35:08.543: IKEv2:% Matched peer block '192.168.200.2'
*Dec 26 22:35:08.543: IKEv2:Searching Policy with fvrf 0, local address 192.168.200.1
*Dec 26 22:35:08.543: IKEv2:Using the Default Policy for Proposal
*Dec 26 22:35:08.543: IKEv2:Found Policy 'default'
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Verify peer's policy
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Peer's policy verified
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Get peer's authentication method
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Peer's authentication method is 'PSK'
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Get peer's preshared key for 192.168.200.2
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Verify peer's authentication data
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Use preshared key for id 192.168.200.2, key len 6
*Dec 26 22:35:08.543: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 26 22:35:08.543: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 26 22:35:08.543: IKEv2:(SESSION ID = 10,SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 26 22:35:08.547: IKEv2:(SESSION ID = 10,SA ID = 1):Processing IKE_AUTH message
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 5 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 6 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 7 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 0 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 1 flags 16370 keysize 128 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 5 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 6 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 7 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.547: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 0 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 1 flags 16370 keysize 192 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 5 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 6 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 7 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 0 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 1 flags 16370 keysize 256 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 3 hmac 5 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 3 hmac 6 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 3 hmac 7 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 3 hmac 2 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 3 hmac 0 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.551: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 3 hmac 1 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 0 hmac 5 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 0 hmac 6 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 0 hmac 7 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.555: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 0 hmac 2 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.559: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 0 hmac 0 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.559: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 0 hmac 1 flags 16370 keysize 0 IDB 0x0
*Dec 26 22:35:08.563: IKEv2:(SESSION ID = 10,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1:  AES-CBC-128 AES-CBC-192 AES-CBC-256 3DES BLOWFISH SHA256 SHA384 SHA512 SHA96 AES XCBC 96 MD596 Don't use ESN
*Dec 26 22:35:08.571:
*Dec 26 22:35:08.571:
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):Expected Policies: : Failed to find a matching policy
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):: Failed to find a matching policy
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):Sending no proposal chosen notify
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):Get my authentication method
*Dec 26 22:35:08.571: IKEv2:(SESSION ID = 10,SA ID = 1):My authentication method is 'PSK'
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Get peer's preshared key for 192.168.200.2
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Generate my authentication data
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Use preshared key for id 192.168.200.1, key len 6
*Dec 26 22:35:08.575: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 26 22:35:08.575: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Get my authentication method
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):My authentication method is 'PSK'
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Generating IKE_AUTH message
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Constructing IDr payload: '192.168.200.1' of type 'IPv4 address'
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Sending Packet [To 192.168.200.2:4500/From 192.168.200.1:4500/VRF i0:f0]
Initiator SPI : CBFF31FC7D33F529 - Responder SPI : DF46102669005D56 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Session with IKE ID PAIR (192.168.200.2, 192.168.200.1) is UP
*Dec 26 22:35:08.575: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 26 22:35:08.575: IKEv2:(SESSION ID = 10,SA ID = 1):No duplicate IKEv2 SA found
*Dec 26 22:35

 

I simply don't get it. It appears that correct policy is already there, and that everything should work. The error message I see does not instantly point to what the problem could be. Or is it ?

 

I would really appreciate help with this.

Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎12-26-2018 10:11 PM

Hi

Based on logs you have different error messages like authentication issues, proposal and DH group.

Here a link showing how to make sure your Cisco and strongwan stress configured in the right way to talk ikev2 and build the vpn tunnel :
https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc10

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

luwoj
Level 1
Level 1
In response to Francesco Molino

‎12-27-2018 02:23 PM

Francesco, you refer to "different error messages". I agree that there's some kind of authentication issue, but the problem is I don't know what exactly.
Phase 1 seems to be finished successfully.
Then authentication phase begins and it does not finish with success (I think). So the problem lies here. But what EXACTLY is the problem ?

As of the link provided.. in this example, crypto maps are used, and I think they don't apply to DMVPN scenario.
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to luwoj

‎12-28-2018 07:03 PM

I’m not sure Phase1 is up and running. Maybe you can share output of show crypto ikev2 sa.

Also when I do DMVPN between Cisco and Linux I always use Quagga for NHRPd.
Here a link that can help: https://wiki.alpinelinux.org/wiki/Dynamic_Multipoint_VPN_(DMVPN)_Phase_3_with_Quagga_NHRPd

Maybe you can share some logs from strongwan. Please attach a text file with logs otherwise it’s not easy to read it doing scrolling.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Marius Gunnerud
VIP
VIP
In response to Francesco Molino

‎12-29-2018 12:34 PM

I don't see any reference to GRE encapsulation in your StrongSwan configuration.  Is GRE configured on the StrongSwan device?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents