cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
898
Views
10
Helpful
8
Replies
Highlighted
Participant

IKEv2 with AES-GCM between Cisco and Strongswan

Hello,

Cisco:

crypto ikev2 proposal IKEv2_PROPOSAL_STRONGSWAN 
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha1
group 2



crypto ikev2 policy IKEv2_POLICY_STRONGSWAN 
proposal IKEv2_PROPOSAL_STRONGSWAN

crypto ikev2 keyring IKEv2_KEYRING_STRONGSWAN
peer dcvpnl002prpny2
address 185.167.55.208
pre-shared-key local pass
pre-shared-key remote pass

crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN
match identity remote address 185.167.55.208 255.255.255.255 
identity local address 37.157.77.10
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING_STRONGSWAN


crypto ipsec transform-set NY2_STRONGSWAN_TRANSFORM_SET esp-gcm 
mode tunnel


crypto ipsec profile NY2_STRONGSWAN_PROFILE
set transform-set NY2_STRONGSWAN_TRANSFORM_SET 
set pfs group2
set ikev2-profile IKEv2_PROFILE_STRONGSWAN



Strongswan side:

conn net-ntg
auto=start
type=tunnel
ike=aes-sha1-modp1024
esp=aes128gcm16-modp1024
left=185.167.55.208
leftid=185.167.55.208
leftfirewall=no
right=37.157.77.10
rightid=37.157.77.10
rightfirewall=no
keyexchange=ikev2
authby=psk


Im getting an error:

strongswan up net-ntg
parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed


but after few seconds, cisco side starts to initiate the session and it goes UP.

 

net-ntg[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{5}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cca62d6e_i 591dcbd5_o
net-ntg{5}: AES_GCM_16_128/MODP_1024, 12341 bytes_i (167 pkts, 1s ago), 12457 bytes_o (170 pkts, 269s ago), rekeying in 33 minutes


The strange thing is, that it seems its OK when cisco starts to initiate. But when strongswan initites the NO_PROPOSAL_CHOSEN errors comes.

Any suggestions ?

Thanks

 

 

 

8 REPLIES 8
Highlighted
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Hi,
I don't see PFS group 2 defined in the strongswan configuration. Add to the strongswan configuration or remove from the Cisco configuration and try again.

HTH
Highlighted
Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Thanks for fast reply, tried to remove from cisco. AFter that tried to restart IPSEC session.

 

Got the same result..

Highlighted
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Please can you provide the output of the ikev2 debugs of the cisco router when Strongwan initiates the VPN and it fails.

Highlighted
Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

please check this link:

 

https://pastebin.com/5eYrVBZc

 

i dont understand why im getting so much: 

"profile did not match," messages. Seems like Cisco dont understand proposals which strongswan are sending..

Highlighted
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Unless it was a copy and paste error, you aren't referencing the IKEv2 Profile under the IPSec Profile


crypto ipsec profile NY2_STRONGSWAN_PROFILE
 crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN

 

HTH

Highlighted
Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

nice catch, it was a copy paste error, i edited the original post accordingly.

the same issue persists..

prod [root@dcvpnl002prpny2 ~]# strongswan up net-ntg
initiating IKE_SA net-ntg[23] to 37.157.77.10
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 185.167.55.208[500] to 37.157.77.10[500] (1172 bytes)
received packet: from 37.157.77.10[500] to 185.167.55.208[500] (390 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
received Cisco FlexVPN Supported vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
authentication of '185.167.55.208' (myself) with pre-shared key
establishing CHILD_SA net-ntg{1039}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 185.167.55.208[4500] to 37.157.77.10[4500] (428 bytes)
received packet: from 37.157.77.10[4500] to 185.167.55.208[4500] (140 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '37.157.77.10' with pre-shared key successful
IKE_SA net-ntg[23] established between 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
scheduling reauthentication in 9737s
maximum IKE_SA lifetime 10277s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed

 

even though it starts to work, when cisco initiates the connection:

 

prod [root@dcvpnl002prpny2 ~]# strongswan statusall net-ntg
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.4.3.el7.x86_64, x86_64):
uptime: 11 hours, since Nov 26 21:29:56 2019
malloc: sbrk 2813952, mmap 0, used 714704, free 2099248
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 16
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
185.167.164.251
10.254.33.13
10.254.33.11
185.167.164.249
10.130.11.249
10.130.11.245
10.130.11.253
10.130.11.241
Connections:
net-ntg: 185.167.55.208...37.157.77.10 IKEv2
net-ntg: local: [185.167.55.208] uses pre-shared key authentication
net-ntg: remote: [37.157.77.10] uses pre-shared key authentication
net-ntg: child: dynamic === dynamic TUNNEL
Security Associations (4 up, 0 connecting):
net-ntg[25]: ESTABLISHED 78 seconds ago, 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
net-ntg[25]: IKEv2 SPIs: d5ed3276ae8ad2e7_i f1f28c7369b1fce1_r*, pre-shared key reauthentication in 2 hours
net-ntg[25]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{1041}: INSTALLED, TUNNEL, reqid 15, ESP SPIs: c816b874_i c8736bbc_o
net-ntg{1041}: AES_GCM_16_128, 1894 bytes_i (18 pkts, 1s ago), 1396 bytes_o (18 pkts, 67s ago), rekeying in 44 minutes
net-ntg{1041}: 185.167.55.208/32[gre] === 37.157.77.10/32[gre]

 

 

 

Highlighted
VIP Advisor

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Can you provide the output of "show crypto ikev2 sa detail" and "show interface <tunnel interface number>" when the tunnel is working. Can you also provide the configuration of the tunnel interfaces from both the cisco and strongswan devices.
Highlighted
Participant

Re: IKEv2 with AES-GCM between Cisco and Strongswan

Thank you for help.

 

I will update you next week, because now we've having black friday freeze

 

Thanks !!