Re: Configuring Cisco Ikev2 against strongswan

williamdaniel22128924 · ‎08-06-2021

Hello,

I want to configure an IKEV2 connection between Cisco Router ASR against strongswan. strongswan team is behind a nat (private ip) but cisco is not (has your public ip).

What would the configuration be like on my cisco?

Rob Ingram · ‎08-06-2021

@williamdaniel22128924

IKEv2 VPN on ISR/ASR routers is called FlexVPN, here is more detailed information

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

Below is an example Static VTI for an ASR/ISR:-

crypto ikev2 proposal IKEV2_PROP
encryption aes-gcm-256
prf sha256
group 19
!
crypto ikev2 policy IKEV2_POLICY
 match fvrf any
 proposal IKEV2_PROP
!
crypto ikev2 keyring KEYRING
 peer PEER-NAME
 address <peer ip>
 pre-shared-key local <psk>
 pre-shared-key remote <psk>
!
crypto ikev2 profile IKEV2_PROFILE
 match identity remote <remote id>
 identity local fqdn <local id>
 authentication local pre-share
 authentication remote pre-share
 keyring local KEYRING
! 
crypto ipsec transform-set TSET esp-gcm 256
 mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
 set transform-set TSET
 set ikev2-profile IKEV2_PROFILE
!
interface tunnel 0
 ip unnumbered loopback 0
 tunnel source gigabitethernet 0/0
 tunnel destination <peer ip>
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC_PROFILE

The configuration for the ASR will obviously depend on how the peer (strongswan) is configured. The configuration above is an example, amend accordingly.

balaji.bandi · ‎08-06-2021

There is good example document here with steps :

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

If the device behind FW you need below ports required to open :

IKEv2:
IP Protocol Type=UDP, UDP Port Number=500 <- Used by IKEv2 (IPSec control path)
IP Protocol Type=UDP, UDP Port Number=4500 <- Used by IKEv2 (IPSec control path)
IP Protocol Type=ESP (value 50) <- Used by IPSec data path

i will Open ICMP for diagnosis and close once all working.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

williamdaniel22128924 · ‎09-10-2021

Hi, It shows me the error:

received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

as the equipment is behind a nat, do I have to configure something additional?

balaji.bandi · ‎09-10-2021

which device generate this error ? you need to post comlete Logs from both the sides.

i would advice to checking both the site config one more time.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

williamdaniel22128924 · ‎09-10-2021

Hi,

The error I sent you is from the strongswan.

received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA

Cisco is not shows me the log of this connection.

balaji.bandi · ‎09-10-2021

Do you high level network digram, You need to enable debug on Cisco side to get Logs, check the document i have mentioned to enable debug.

Do you have reachability between device, before you get in to VPN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

williamdaniel22128924 · ‎09-14-2021

Hi,

The device Strongswan behind of nat, My cisco has a Public IP. My question is:

In my conf in ikev2. Do i have other parameter for the NAT ?

balaji.bandi · ‎09-14-2021

Do i have other parameter for the NAT ?

You mean you need any special config because of behind NAT, No i guess. (as long as your NAT Device take care of IPSEC related PAT/ NAT

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Scott Aitken · ‎08-13-2024

I have this running with the router as in the initiator (one interface is behind CGNAT).

You might need to set the StrongSwan traffic selectors manually:

connections.conn.children.child.local_ts = 0.0.0.0/0
connections.conn.children.child.remote_ts = 0.0.0.0/0

Without this (I first tried with %any) StongSwan would try to build traffic selectors of 0.0.0.0/32,