On 1/5/22 1:21 PM, Adam Cécile wrote:
On 1/5/22 11:12 AM, Adam Cécile wrote:
Hello,
I'm replacing a Cisco endpoint with Strongswan sadly all I tried
ended up in NO_PROPOSAL_CHOSEN...
The relevant Cisco bits (which is connecting with peer just fine) is:
crypto ipsec transform-set TunnelName esp-3des esp-sha256-hmac
Can someone help me converting this into Strongswan ike/esp config
options (and I also would be very interested in understanding how to
do such conversion...)
Thanks in advance,
Best regards, Adam.
Here is the detail of the connection being established on the Cisco
which is aimed to be replaced:
interface: GigabitEthernet0/0/1
Crypto map tag: MapName, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.255.0/0/0)
current_peer 2.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 247, #pkts encrypt: 247, #pkts digest: 247
#pkts decaps: 276, #pkts decrypt: 276, #pkts verify: 276
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 2.2.2.2
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/0/1
current outbound spi: 0x2CA0EB8F(748743567)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC2B47C97(3266608279)
transform: esp-3des esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2001, flow_id: ESG:1, sibling_flags FFFFFFFF80000048,
crypto map: MapName
sa timing: remaining key lifetime (k/sec): (4607846/2940)
IV size: 8 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2CA0EB8F(748743567)
transform: esp-3des esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 2002, flow_id: ESG:2, sibling_flags FFFFFFFF80000048,
crypto map: MapName
sa timing: remaining key lifetime (k/sec): (4607966/2940)
IV size: 8 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
I'm pretty sure I got the proper ike parameter: ike=3des-sha2_256-modp1024
After setting this one, I get some more logs from Strongswan:
Jan 5 12:55:05 vpn ipsec[765]: 13[IKE] <tunnel-name|96> initiating Main
Mode IKE_SA tunnel-name[96] to 2.2.2.2
Jan 5 12:55:05 vpn ipsec[765]: 13[ENC] <tunnel-name|96> generating
ID_PROT request 0 [ SA V V V V V ]
Jan 5 12:55:05 vpn ipsec[765]: 13[NET] <tunnel-name|96> sending packet:
from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
Jan 5 12:55:05 vpn ipsec[765]: 12[NET] <tunnel-name|96> received
packet: from 2.2.2.2[500] to 1.1.1.1[500] (96 bytes)
Jan 5 12:55:05 vpn ipsec[765]: 12[ENC] <tunnel-name|96> parsed
INFORMATIONAL_V1 request 0 [ N(NO_PROP) ]
Jan 5 12:55:05 vpn ipsec[765]: 12[IKE] <tunnel-name|96> received
NO_PROPOSAL_CHOSEN error notify
Jan 5 12:55:09 vpn ipsec[765]: 16[IKE] <tunnel-name|98> initiating Main
Mode IKE_SA tunnel-name[98] to 2.2.2.2
Jan 5 12:55:09 vpn ipsec[765]: 16[ENC] <tunnel-name|98> generating
ID_PROT request 0 [ SA V V V V V ]
Jan 5 12:55:09 vpn ipsec[765]: 16[NET] <tunnel-name|98> sending packet:
from 1.1.1.1[500] to 2.2.2.2[500] (236 bytes)
Can you confirm these logs mean ike setting is correct ? Any idea
regarding esp ? No luck yet...
