Issue #1127: IPSEC Tunnel Issue IKEV2 on cisco router and Strongswan on centos - strongSwan

Issue #1127

Updated by Tobias Brunner almost 10 years ago

Cisco Router:- WAN- Public IP LAN 192.168.40.0/32------SiteA
Server :- WAN- Public IP LAN 192.168.246.0/32------SiteB

Cisco Router

<pre>
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy ike2policy
match fvrf any
proposal ikev2proposal
!
crypto ikev2 keyring keys
peer s5-gw-sing
address SiteB
pre-shared-key local cisco
pre-shared-key remote cisco
!
!
!
crypto ikev2 profile ikev2profile
match address local interface GigabitEthernet0/0
match identity remote address SiteB
authentication remote pre-share
authentication local pre-share
keyring local keys

crypto isakmp policy 1
authentication pre-share
group 2

crypto isakmp key cisco address SiteB no-xauth

crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel

crypto map cmap 10 ipsec-isakmp
set peer SiteB
set transform-set TS
set pfs group2
set ikev2-profile ikev2profile
match address AWS_S
!

interface GigabitEthernet0/0
ip address SiteA
ip nat outside
ip virtual-reassembly in
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map cmap

p access-list extended AWS_S
permit ip 192.168.40.0 0.0.0.255 192.168.246.0 0.0.0.255
permit ip 192.168.40.0 0.0.0.255 10.5.5.0 0.0.0.255
</pre>

#################################################################################

AWS

<pre>
[root@s5-gw-sing ipsec.d]# cat .conf
conn cisco

authby=psk
type=tunnel
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
right=SiteA
left=%defaultroute
leftsubnet=192.168.246.0/24
leftfirewall=yes
rightsubnet=192.168.40.0/24
keyexchange=ikev2
rightallowany=yes
ike=aes256-sha1-modp1024, aes128-sha1-modp1024, aes128-sha1-modp1536
esp=aes256-sha1-modp1024, aes128-sha1-modp1024, aes128-sha1, 3des-md5
auto=add

# /etc/ipsec.secrets - strongSwan IPsec secrets file

SiteA : PSK "cisco"
robu.ddns.net : PSK "N9918412"
1.178.3.4 192.168.246.110 : PSK "N9918412"
: RSA /etc/strongswan/ipsec.d/private/vpngw01Key.pem #vpngw01Key.pem
</pre>

##################################################################################

Output:-

<pre>

initiating IKE_SA hemantg[234] to SiteA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
sending packet: from 192.168.246.110[500] to 112.196.55.66[500] (1356 bytes)
received packet: from 112.196.55.66[500] to 192.168.246.110[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=pc1.symstream.com"
sending cert request for "C=AU, OU=RnD, O=Symstream, CN=test-name.rnd.symstream.com"
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=pc1.symstream.com"
sending cert request for "C=IN, O=Symstream, OU=RnD, CN=in-gw1.symstream.com"
sending cert request for "C=AU, O=Symstream, OU=RnD, CN=vpngw01.symstream.com"
no IDi configured, fall back on IP address
authentication of '192.168.246.110' (myself) with pre-shared key
establishing CHILD_SA hemantg
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 192.168.246.110[4500] to 112.196.55.66[4500] (524 bytes)
received packet: from 112.196.55.66[4500] to 192.168.246.110[4500] (76 bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'hemantg' failed
</pre>

Back

Project

General

Profile

strongSwan

Issue #1127