Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5587
Views
10
Helpful
9
Replies

IKEv2 with AES-GCM between Cisco and Strongswan

from88
Level 4
Level 4

‎11-26-2019 12:11 PM - edited ‎11-26-2019 11:38 PM

Hello,

Cisco:

crypto ikev2 proposal IKEv2_PROPOSAL_STRONGSWAN 
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha1
group 2



crypto ikev2 policy IKEv2_POLICY_STRONGSWAN 
proposal IKEv2_PROPOSAL_STRONGSWAN

crypto ikev2 keyring IKEv2_KEYRING_STRONGSWAN
peer dcvpnl002prpny2
address 185.167.55.208
pre-shared-key local pass
pre-shared-key remote pass

crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN
match identity remote address 185.167.55.208 255.255.255.255 
identity local address 37.157.77.10
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING_STRONGSWAN


crypto ipsec transform-set NY2_STRONGSWAN_TRANSFORM_SET esp-gcm 
mode tunnel


crypto ipsec profile NY2_STRONGSWAN_PROFILE
set transform-set NY2_STRONGSWAN_TRANSFORM_SET 
set pfs group2
set ikev2-profile IKEv2_PROFILE_STRONGSWAN



Strongswan side:

conn net-ntg
auto=start
type=tunnel
ike=aes-sha1-modp1024
esp=aes128gcm16-modp1024
left=185.167.55.208
leftid=185.167.55.208
leftfirewall=no
right=37.157.77.10
rightid=37.157.77.10
rightfirewall=no
keyexchange=ikev2
authby=psk


Im getting an error:

strongswan up net-ntg
parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed


but after few seconds, cisco side starts to initiate the session and it goes UP.

 

net-ntg[4]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{5}: INSTALLED, TUNNEL, reqid 4, ESP SPIs: cca62d6e_i 591dcbd5_o
net-ntg{5}: AES_GCM_16_128/MODP_1024, 12341 bytes_i (167 pkts, 1s ago), 12457 bytes_o (170 pkts, 269s ago), rekeying in 33 minutes


The strange thing is, that it seems its OK when cisco starts to initiate. But when strongswan initites the NO_PROPOSAL_CHOSEN errors comes.

Any suggestions ?

Thanks

 

 

 

Labels:
0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎11-26-2019 12:16 PM

Hi,
I don't see PFS group 2 defined in the strongswan configuration. Add to the strongswan configuration or remove from the Cisco configuration and try again.

HTH

from88
Level 4
Level 4
In response to Rob Ingram

‎11-26-2019 12:33 PM

Thanks for fast reply, tried to remove from cisco. AFter that tried to restart IPSEC session.

 

Got the same result..

0 Helpful

Rob Ingram
VIP
VIP
In response to from88

‎11-26-2019 12:44 PM - edited ‎11-26-2019 12:44 PM

Please can you provide the output of the ikev2 debugs of the cisco router when Strongwan initiates the VPN and it fails.

0 Helpful

from88
Level 4
Level 4
In response to Rob Ingram

‎11-26-2019 12:51 PM

please check this link:

 

https://pastebin.com/5eYrVBZc

 

i dont understand why im getting so much: 

"profile did not match," messages. Seems like Cisco dont understand proposals which strongswan are sending..

0 Helpful

Rob Ingram
VIP
VIP
In response to from88

‎11-26-2019 12:57 PM

Unless it was a copy and paste error, you aren't referencing the IKEv2 Profile under the IPSec Profile


crypto ipsec profile NY2_STRONGSWAN_PROFILE
 crypto ikev2 profile IKEv2_PROFILE_STRONGSWAN

 

HTH

0 Helpful

from88
Level 4
Level 4
In response to Rob Ingram

‎11-26-2019 11:47 PM

nice catch, it was a copy paste error, i edited the original post accordingly.

the same issue persists..

prod [root@dcvpnl002prpny2 ~]# strongswan up net-ntg
initiating IKE_SA net-ntg[23] to 37.157.77.10
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 185.167.55.208[500] to 37.157.77.10[500] (1172 bytes)
received packet: from 37.157.77.10[500] to 185.167.55.208[500] (390 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
received Cisco FlexVPN Supported vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
authentication of '185.167.55.208' (myself) with pre-shared key
establishing CHILD_SA net-ntg{1039}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 185.167.55.208[4500] to 37.157.77.10[4500] (428 bytes)
received packet: from 37.157.77.10[4500] to 185.167.55.208[4500] (140 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '37.157.77.10' with pre-shared key successful
IKE_SA net-ntg[23] established between 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
scheduling reauthentication in 9737s
maximum IKE_SA lifetime 10277s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'net-ntg' failed

 

even though it starts to work, when cisco initiates the connection:

 

prod [root@dcvpnl002prpny2 ~]# strongswan statusall net-ntg
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.4.3.el7.x86_64, x86_64):
uptime: 11 hours, since Nov 26 21:29:56 2019
malloc: sbrk 2813952, mmap 0, used 714704, free 2099248
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 16
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
185.167.164.251
10.254.33.13
10.254.33.11
185.167.164.249
10.130.11.249
10.130.11.245
10.130.11.253
10.130.11.241
Connections:
net-ntg: 185.167.55.208...37.157.77.10 IKEv2
net-ntg: local: [185.167.55.208] uses pre-shared key authentication
net-ntg: remote: [37.157.77.10] uses pre-shared key authentication
net-ntg: child: dynamic === dynamic TUNNEL
Security Associations (4 up, 0 connecting):
net-ntg[25]: ESTABLISHED 78 seconds ago, 185.167.55.208[185.167.55.208]...37.157.77.10[37.157.77.10]
net-ntg[25]: IKEv2 SPIs: d5ed3276ae8ad2e7_i f1f28c7369b1fce1_r*, pre-shared key reauthentication in 2 hours
net-ntg[25]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
net-ntg{1041}: INSTALLED, TUNNEL, reqid 15, ESP SPIs: c816b874_i c8736bbc_o
net-ntg{1041}: AES_GCM_16_128, 1894 bytes_i (18 pkts, 1s ago), 1396 bytes_o (18 pkts, 67s ago), rekeying in 44 minutes
net-ntg{1041}: 185.167.55.208/32[gre] === 37.157.77.10/32[gre]

 

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to from88

‎11-27-2019 10:39 AM

Can you provide the output of "show crypto ikev2 sa detail" and "show interface <tunnel interface number>" when the tunnel is working. Can you also provide the configuration of the tunnel interfaces from both the cisco and strongswan devices.

from88
Level 4
Level 4
In response to Rob Ingram

‎11-29-2019 08:12 AM

Thank you for help.

 

I will update you next week, because now we've having black friday freeze

 

Thanks !!

0 Helpful

nagrajk1969
Spotlight
Spotlight

‎07-28-2021 05:58 AM

 

Hi All

This reported issue is quite old and this is just in case, the reported issues are still being observed with similar ipsec peers

 

I think that the issue of tunnel not getting established when Strongswan-Peer is initiating the ike/ipsec tunnel (but works when Cisco initiates it) is mostly happening becos of the following reason(s):

 

1. On the Strongswan Peer

a) Check whether you have enabled "forceencaps=yes", if yes, then please disable it by deleting the option altogether

- i see that when initiated from Strongswan the IKE negotiation is switching to using port 4500, eventhough there is NO nat-router in between the Strongswan and Cisco Peers

- When Cisco initiates the ipsec tunnel, there is no NAT detected and therefore there is no NAT-T (udp-4500) applied. 

- So Since IKEv2 has built-in support for NAT-T included, the use of udp-4500/NAT-T will get trigerred automatically ONLY IF THERE IS REALLY A NAT-ROUTER IN-BETWEEN. So in this case there must be the explicit use of the option "forceencaps=yes" that must be resulting in the switch-over to udp-4500 when strongswan initiates the tunnel

- so just delete this option on strongswan peer

 

b) apply the algorithm proposals as below (include the exclamation mark)

----------------------------

ike=aes-sha1-modp1024!
esp=aes128gcm16-modp1024!

-----------------------------

c) Since this tunnel is a GRE-with-IPsec tunnel, add the below mentioned config to existing config on the strongswan peer:

-------------------------------

leftsubnet=185.167.55.208[gre]
rightsubnet=37.157.77.10[gre]
---------------------------

 

try out the above additions/changes to the Strongswan config, and hopefully this time it should work

 

thanks

 

 

0 Helpful
Customers Also Viewed These Support Documents