Hi all, Please provide logs as shown on the HelpRequests page[1] on the wiki.
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Am 18.01.21 um 12:44 schrieb Volodymyr Litovka:
Hi George, I don't remember exactly Cisco's commands to configure encryption, but it seems you config misses encryption settings for IKE negotiation. Your config on Cisco side should looks like the following: ! This is IKE encryption crypto isakmp policy 10 encryption ... hash ... group ... ... ! This is ESP encryption crypto ipsec transform-set myset ... ! crypto ipsec profile myprofile ... set transform-set myset ! int tun151 ... tunnel protection ipsec profile myprofile and IKE encryption (isakmp policy) must match "ike" parameter in connection definition, while ESP encryption (ipsec transform-set) must match "esp" parameter. Hope this'll help. On 14.01.2021 22:38, george live wrote:Hi all, I am using strongswan version 5.3 on aws cloud and trying to set ipsec with a ciscoasr in customer site. It is not a complex scenario but the logs are telling me that strongswan is saying 'no proposals chosen'. It is a ikev1, aes256, sha1 and df group 2. Below are the configs: Strongswan ========= config setup charondebug="ike 1, knl 0, cfg 0" conn BRKTUNEL authby=secret auto=route dpddelay=10 dpdtimeout=30 dpdaction=restart esp=aes256-sha-modp1024 ike=aes256-sha-modp1024 ikelifetime=86400s lifetime=1h keyexchange=ikev1 keyingtries=%forever rekey=yes forceencaps=yes # Specifics left=2.2.2.2 # Local private ip leftsubnet=%dynamic[gre] # Local VPC Subnet leftid=2.2.2.2 leftfirewall=yes rightfirewall=no right=1.1.1.1 # Remote Tunnel IP rightid=%any rightsubnet=%dynamic[gre] # Remote VPC Subnet type=tunnel Customer ASR config ================ crypto isakmp profile abcd description Default profile vrf 10 keyring cust_key match identity address 2.2.2.2 keepalive 10 retry 2 local-address 1.1.1.1 ! crypto keyring cust_key vrf 10 description Key ring for vrf 10 peers local-address customer_ip vrf pre-shared-key address 2.2.2.2 key xxxxxxxxx ! crypto ipsec transform-set cust1-xform esp-aes 256 esp-sha-hmac mode tunnel ! crypto ipsec profile ipsec set transform-set cust1-xform set pfs group2 set isakmp-profile abcd ! interface Tunnel151 description AWS vrf forwarding 10 ip address 169.254.128.1 255.255.255.252 ip tcp adjust-mss 1379 tunnel source 1.1.1.1 tunnel destination 2.2.2.2 tunnel vrf 10 tunnel protection ipsec profile ipsec ip virtual-reassembly The debug logs says 'no IKE config found for 1.1.1.1...2.2.2.2, sending NO_PROPOSAL_CHOSEN' Any help is appreciated. Thanks, George-- Volodymyr Litovka "Vision without Execution is Hallucination." -- Thomas Edison
OpenPGP_signature
Description: OpenPGP digital signature