1

We are in process of replacing a Microsoft TMG server with a CentOS server. For VPN we decided to use strongswan due to instabilities with libreswan. But, strongswan has some weird issues with several subnets on either side. The current (libreswan) working config has leftsubnets={10.x.x.0/24,172.y.y.0/24} and rightsubnets={10.y.y.0/24,172.z.z.0/24}. How to port this libreswan configuration to strongswan? I have tried making several conns with a single leftsubnet and rightsubnet in each, configuration file seems to be parsed properly, but no SAs get established (connecting 0, up 0). Do I miss a something?

Current config is like this:

conn hmmm
  left=86.x.x.x
  right=y.y.y.84
  keyexchange=ikev1
  authby=secret
  type=tunnel
  auto=start
  ike=aes256-sha1-modp1024
  rekey=yes
  leftsubnet=10.x.x.0/24
  rightsubnet=10.y.y.0/24

conn hmmm-2
  also=hmmm
  leftsubnet=172.y.y.0/24
  rightsubnet=172.z.z.0/24

Logs say "no proposal", however this IKEv1 setting is what worked with libreswan. The other end is Cisco ASA under our control, but since we need an in-place swap of firewalls, we cannot perform connection upgrade to IKEv2.

Vesper
  • 794
  • 1
  • 9
  • 32
  • 1
    "No proposal chosen" indicates an issue with the ESP proposal (or the IKE proposal depending when exactly you receive the error). Please provide more information, like logs, strongSwan version etc. – ecdsa Nov 29 '17 at 10:58
  • @ecdsa Well, I missed `esp` parameter to build quick mode SAs with. The libreswan analog was `phase2alg` but I misread the manual at first and thought I just need to specify `ike` and it'll be also used for encryption proposal. The idea was pretty correct, but I now need to create a subconnection for each pair of subnets that MIGHT connect via this VPN, or else it fails. – Vesper Nov 30 '17 at 10:30

1 Answers1

0

This configuration misses esp parameter to specify IKEv1 quick mode parameters to be used with IPsec connection in question. Just that. Extra parameters were leftauth=psk and rightauth=psk to conform with non-deprecated syntax (authby is deprecated), mobike=no just in case, and ikelifetime=8h and lifebytes=4608000000 to match the other side's SA lifetime settings. This is the missing line:

esp = aes256-sha1-modp1024,aes192-sha1-modp1024,aes128-sha1-modp1024

I was expecting ESP to use IKE parameters to set up quick mode SAs, but probably misread the manual.

Vesper
  • 794
  • 1
  • 9
  • 32