Strongswan NO_PROPOSAL_CHOSEN Error with Cisco Router – Fix

ciscoipseclinuxstrongswan

I'm trying to establish an ipsec connection from a raspberry pi with Strongswan (Linux strongSwan U5.5.1/K4.14.50+) to a Cisco Router.

This is the Strongswan output:

root@raspberrypi:~# ipsec up Ciscoios
initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4
received XAuth vendor ID
generating ID_PROT request 0 [ ID HASH ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Ciscoios[1] established between x.x.x.118[user@domain.com]...x.x.x.138[x.x.x.138]
scheduling reauthentication in 86201s
maximum IKE_SA lifetime 86381s
generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes)
parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'Ciscoios' failed

This is the ipsec.conf:

ipsec.conf - strongSwan IPsec configuration file


config setup
    strictcrlpolicy=no
    #charondebug="ike 4, knl 4, cfg 2"    #useful debugs
    uniqueids = no



conn %default
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret

conn Ciscoios
    left=x.x.x.118
    leftid=fqdn:user@domain.com
    leftsubnet=10.10.145.0/24
    leftfirewall=no
    right=x.x.x.138
    rightsubnet=x.x.x.138/32
    rightid=x.x.x.x.138
    rightauth=psk
    leftauth=psk
    auto=add
    ike=3des-sha1-modp1024!
    esp=3des-sha1!

On the Cisco I have configured this:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac
mode transport

crypto dynamic-map TEST
description ipsecTest
set transform-set ESP-NULL-MD5 ESP-3DES-MD5
set isakmp-profile Routing
match address IPSEC

I think I might have the wrong parameters set at ike and esp in the ipsec.conf.
The ipsec config on the Cisco works fine with another Cisco router as a peer but not with the Raspberry Pi.
Can anyone help?

Best Answer

The ESP proposal in the strongSwan config must match that of the Cisco box, so change it to esp=3des-md5!, or, alternatively, modify the Cisco config to use SHA-1 as integrity algorithm.

Be aware that these are all very weak algorithms.

Related Topic