I'm trying to establish an ipsec connection from a raspberry pi with Strongswan (Linux strongSwan U5.5.1/K4.14.50+) to a Cisco Router.
This is the Strongswan output:
root@raspberrypi:~# ipsec up Ciscoios
initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4
received XAuth vendor ID
generating ID_PROT request 0 [ ID HASH ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Ciscoios[1] established between x.x.x.118[user@domain.com]...x.x.x.138[x.x.x.138]
scheduling reauthentication in 86201s
maximum IKE_SA lifetime 86381s
generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes)
parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'Ciscoios' failed
This is the ipsec.conf:
ipsec.conf - strongSwan IPsec configuration file
config setup
strictcrlpolicy=no
#charondebug="ike 4, knl 4, cfg 2" #useful debugs
uniqueids = no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn Ciscoios
left=x.x.x.118
leftid=fqdn:user@domain.com
leftsubnet=10.10.145.0/24
leftfirewall=no
right=x.x.x.138
rightsubnet=x.x.x.138/32
rightid=x.x.x.x.138
rightauth=psk
leftauth=psk
auto=add
ike=3des-sha1-modp1024!
esp=3des-sha1!
On the Cisco I have configured this:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac
mode transport
crypto dynamic-map TEST
description ipsecTest
set transform-set ESP-NULL-MD5 ESP-3DES-MD5
set isakmp-profile Routing
match address IPSEC
I think I might have the wrong parameters set at ike and esp in the ipsec.conf.
The ipsec config on the Cisco works fine with another Cisco router as a peer but not with the Raspberry Pi.
Can anyone help?
Best Answer
The ESP proposal in the strongSwan config must match that of the Cisco box, so change it to
esp=3des-md5!
, or, alternatively, modify the Cisco config to use SHA-1 as integrity algorithm.Be aware that these are all very weak algorithms.