Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
Hi all, Please provide logs as shown on the HelpRequests page[1] on the wiki. Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 18.01.21 um 12:44 schrieb Volodymyr Litovka: Hi George, I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following: ! This is IKE encryption crypto isakmp policy 10 encryption ... hash ... group ... ... ! This is ESP encryption crypto ipsec transform-set myset ... ! crypto ipsec profile myprofile ... set transform-set myset ! int tun151 ... tunnel protection ipsec profile myprofile and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter. Hope this'll help. On 14.01.2021 22:38, george live wrote: Hi all, I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'. It is a ikev1, aes256, sha1 and df group 2. Below are the configs: Strongswan = config setup charondebug="ike 1, knl 0, cfg 0" conn BRKTUNEL authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha-modp1024 ike=aes256-sha-modp1024 ikelifetime=86400s lifetime=1h keyexchange=ikev1 keyingtries=%forever rekey=yes forceencaps=yes # Specifics left=2.2.2.2 # Local private ip leftsubnet=%dynamic[gre] # Local VPC Subnet leftid=2.2.2.2 leftfirewall=yes rightfirewall=no right=1.1.1.1 # Remote Tunnel IP rightid=%any rightsubnet=%dynamic[gre] # Remote VPC Subnet type=tunnel Customer ASR config crypto isakmp profile abcd description Default profile vrf 10 keyring cust_key match identity address 2.2.2.2 keepalive 10 retry 2 local-address 1.1.1.1 ! crypto keyring cust_key vrf 10 description Key ring for vrf 10 peers local-address customer_ip vrf pre-shared-key address 2.2.2.2 key x ! crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ipsec set transform-set cust1-xform set pfs group2 set isakmp-profile abcd ! interface Tunnel151 description AWS vrf forwarding 10 ip address 169.254.128.1 255.255.255.252 ip tcp adjust-mss 1379 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel vrf 10 tunnel protection ipsec profile ipsec ip virtual-reassembly The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN' Any help is appreciated. Thanks, George -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison OpenPGP_signature Description: OpenPGP digital signature
Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
[Correction] Hi George, Sorry, I made a blunder in the earlier respone…I mixed up IPsec TS_UNACCEPTABLE with IKE proposals. I just checked, and the debug ouput you posted is in-fact originating because of the IKE proposal mismatch. Basically, Cisco uses default ISAKMP profiles under the hood unless the user explicitly configures an ISAKMP policy (in which case the system default is then overriden with user configured policy). So, in your case, there does not seem to a user configured ISAKMP policy, due to which the system default is being used and the same is not matching with the IKE config on StrongSwan. What default policies are configured by the system on the ASR depends on the software version. So you can check this with ‘show crypto isakmp default policy’. Either way, DH group 2 and AES have been long considered unsafe and are probably not configured as a system default, so you will have to configure an ISAKMP policy with these settings explicitly. In a nutshell: 1. change the config parameters on StrongSwan side to match system defaults of the ASR 2. Or, explicity configure a policy on ASR to match the StrongSwan setting like this example: crypto isakmp policy 1 encryption aes authentication pre-share group 2 With this change your IKE SA should come up. I am guessing CHILD_SA will also come up with your exsiting config, if not you can try the suggestion I had given in the earlier mail for that. Thanks, Mohit From: Users on behalf of "MOHIT CHALLA (mochalla)" Date: Monday, 18 January 2021 at 9:05 PM To: Volodymyr Litovka , george live , "users@lists.strongswan.org" Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3 Hi George, I am not 100% sure what is causing the issue, but there are a couple of things which I notice. Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too. So you can try either of this: 1. Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0 on StrongSwan 2. Leave the ASR config as it is and configure on StrongSwan: * leftprotoport=gre * leftsubnet=0.0.0.0/0 * rightprotoport=gre * rightsubnet=0.0.0.0/0 Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself. Thanks, Mohit From: Users on behalf of Volodymyr Litovka Date: Monday, 18 January 2021 at 5:15 PM To: george live , "users@lists.strongswan.org" Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3 Hi George, I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following: ! This is IKE encryption crypto isakmp policy 10 encryption ... hash ... group ... ... ! This is ESP encryption crypto ipsec transform-set myset ... ! crypto ipsec profile myprofile ... set transform-set myset ! int tun151 ... tunnel protection ipsec profile myprofile and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter. Hope this'll help. On 14.01.2021 22:38, george live wrote: Hi all, I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'. It is a ikev1, aes256, sha1 and df group 2. Below are the configs: Strongswan = config setup charondebug="ike 1, knl 0, cfg 0" conn BRKTUNEL authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha-modp1024 ike=aes256-sha-modp1024 ikelifetime=86400s lifetime=1h keyexchange=ikev1 keyingtries=%forever rekey=yes forceencaps=yes # Specifics left=2.2.2.2# Local private ip leftsubnet=%dynamic[gre] # Local VPC Subnet leftid=2.2.2.2 leftfirewall=yes rightfirewall=no right=1.1.1.1 # Remote Tunnel IP rightid=%any rightsubnet=%dynamic[gre] # Remote VPC Subnet type=tunnel Customer ASR config crypto isakmp profile abcd description Default profile vrf 10 keyring cust_key match identity address 2.2.2.2 keepalive 10 retry 2 local-address 1.1.1.1 ! crypto keyring cust_key vrf 10 description Key ring for vrf 10 peers local-address customer_ip vrf pre-shared-key address 2.2.2.2 key x ! crypto ipsec transform-set cust1-xform
Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
Hi George, I am not 100% sure what is causing the issue, but there are a couple of things which I notice. Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too. So you can try either of this: 1. Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0 on StrongSwan 2. Leave the ASR config as it is and configure on StrongSwan: * leftprotoport=gre * leftsubnet=0.0.0.0/0 * rightprotoport=gre * rightsubnet=0.0.0.0/0 Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself. Thanks, Mohit From: Users on behalf of Volodymyr Litovka Date: Monday, 18 January 2021 at 5:15 PM To: george live , "users@lists.strongswan.org" Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3 Hi George, I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following: ! This is IKE encryption crypto isakmp policy 10 encryption ... hash ... group ... ... ! This is ESP encryption crypto ipsec transform-set myset ... ! crypto ipsec profile myprofile ... set transform-set myset ! int tun151 ... tunnel protection ipsec profile myprofile and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter. Hope this'll help. On 14.01.2021 22:38, george live wrote: Hi all, I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'. It is a ikev1, aes256, sha1 and df group 2. Below are the configs: Strongswan = config setup charondebug="ike 1, knl 0, cfg 0" conn BRKTUNEL authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha-modp1024 ike=aes256-sha-modp1024 ikelifetime=86400s lifetime=1h keyexchange=ikev1 keyingtries=%forever rekey=yes forceencaps=yes # Specifics left=2.2.2.2# Local private ip leftsubnet=%dynamic[gre] # Local VPC Subnet leftid=2.2.2.2 leftfirewall=yes rightfirewall=no right=1.1.1.1 # Remote Tunnel IP rightid=%any rightsubnet=%dynamic[gre] # Remote VPC Subnet type=tunnel Customer ASR config crypto isakmp profile abcd description Default profile vrf 10 keyring cust_key match identity address 2.2.2.2 keepalive 10 retry 2 local-address 1.1.1.1 ! crypto keyring cust_key vrf 10 description Key ring for vrf 10 peers local-address customer_ip vrf pre-shared-key address 2.2.2.2 key x ! crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ipsec set transform-set cust1-xform set pfs group2 set isakmp-profile abcd ! interface Tunnel151 description AWS vrf forwarding 10 ip address 169.254.128.1 255.255.255.252 ip tcp adjust-mss 1379 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel vrf 10 tunnel protection ipsec profile ipsec ip virtual-reassembly The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN' Any help is appreciated. Thanks, George -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison
Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3
Hi George, I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following: ! This is IKE encryption crypto isakmp policy 10 encryption ... hash ... group ... ... ! This is ESP encryption crypto ipsec transform-set myset ... ! crypto ipsec profile myprofile ... set transform-set myset ! int tun151 ... tunnel protection ipsec profile myprofile and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter. Hope this'll help. On 14.01.2021 22:38, george live wrote: Hi all, I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'. It is a ikev1, aes256, sha1 and df group 2. Below are the configs: Strongswan = config setup charondebug="ike 1, knl 0, cfg 0" conn BRKTUNEL authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha-modp1024 ike=aes256-sha-modp1024 ikelifetime=86400s lifetime=1h keyexchange=ikev1 keyingtries=%forever rekey=yes forceencaps=yes # Specifics left=2.2.2.2 # Local private ip leftsubnet=%dynamic[gre] # Local VPC Subnet leftid=2.2.2.2 leftfirewall=yes rightfirewall=no right=1.1.1.1 # Remote Tunnel IP rightid=%any rightsubnet=%dynamic[gre] # Remote VPC Subnet type=tunnel Customer ASR config crypto isakmp profile abcd description Default profile vrf 10 keyring cust_key match identity address 2.2.2.2 keepalive 10 retry 2 local-address 1.1.1.1 ! crypto keyring cust_key vrf 10 description Key ring for vrf 10 peers local-address customer_ip vrf pre-shared-key address 2.2.2.2 key x ! crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ipsec set transform-set cust1-xform set pfs group2 set isakmp-profile abcd ! interface Tunnel151 description AWS vrf forwarding 10 ip address 169.254.128.1 255.255.255.252 ip tcp adjust-mss 1379 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel vrf 10 tunnel protection ipsec profile ipsec ip virtual-reassembly The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN' Any help is appreciated. Thanks, George -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison
