Hi George, I am not 100% sure what is causing the issue, but there are a couple of things which I notice.
Cisco static-VTI solution (like the one that is configured on the ASR in your config) automatically uses any-any traffic selectors. I see you are using GRE as encaps on ASR (which is the default if you do not configure ‘tunnel mode ipsec ipv4’) for what seems to be a point-to-point connection. I am not sure what ‘%dynamic[gre]’ translates too. So you can try either of this: 1. Set ‘tunnel mode ipsec ipv4’ on the tunnel interface on ASR and make the leftsubnet=0.0.0.0/0 && rightsubnet=0.0.0.0/0 on StrongSwan 2. Leave the ASR config as it is and configure on StrongSwan: * leftprotoport=gre * leftsubnet=0.0.0.0/0 * rightprotoport=gre * rightsubnet=0.0.0.0/0 Let me know if this helps. The encryption settings seems fine, else IKE would have complained during SA_INIT itself. Thanks, Mohit From: Users <users-boun...@lists.strongswan.org> on behalf of Volodymyr Litovka <doka...@gmx.com> Date: Monday, 18 January 2021 at 5:15 PM To: george live <georgelive2...@gmail.com>, "users@lists.strongswan.org" <users@lists.strongswan.org> Subject: Re: [strongSwan] Facing a strange issue between Cisco ASR and strongswan v5.3 Hi George, I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following: ! This is IKE encryption crypto isakmp policy 10 encryption ... hash ... group ... ... ! This is ESP encryption crypto ipsec transform-set myset ... ! crypto ipsec profile myprofile ... set transform-set myset ! int tun151 ... tunnel protection ipsec profile myprofile and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter. Hope this'll help. On 14.01.2021 22:38, george live wrote: Hi all, I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'. It is a ikev1, aes256, sha1 and df group 2. Below are the configs: Strongswan ========= config setup charondebug="ike 1, knl 0, cfg 0" conn BRKTUNEL authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha-modp1024 ike=aes256-sha-modp1024 ikelifetime=86400s lifetime=1h keyexchange=ikev1 keyingtries=%forever rekey=yes forceencaps=yes # Specifics left=2.2.2.2 # Local private ip leftsubnet=%dynamic[gre] # Local VPC Subnet leftid=2.2.2.2 leftfirewall=yes rightfirewall=no right=1.1.1.1 # Remote Tunnel IP rightid=%any rightsubnet=%dynamic[gre] # Remote VPC Subnet type=tunnel Customer ASR config ================ crypto isakmp profile abcd description Default profile vrf 10 keyring cust_key match identity address 2.2.2.2 keepalive 10 retry 2 local-address 1.1.1.1 ! crypto keyring cust_key vrf 10 description Key ring for vrf 10 peers local-address customer_ip vrf pre-shared-key address 2.2.2.2 key xxxxxxxxx ! crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ipsec set transform-set cust1-xform set pfs group2 set isakmp-profile abcd ! interface Tunnel151 description AWS vrf forwarding 10 ip address 169.254.128.1 255.255.255.252 ip tcp adjust-mss 1379 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel vrf 10 tunnel protection ipsec profile ipsec ip virtual-reassembly The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN' Any help is appreciated. Thanks, George -- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison