Config was tested between StrongSwan 5.9.1 on Debian and Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.8(3)M6


  • Strongswan host:
    • public IP:
    • private IP:
  • Cisco router:
    • public IP:
    • LAN:


crypto ikev2 proposal AES256-SHA256-DH20
 encryption aes-cbc-256
 integrity sha256
 group 20

no crypto ikev2 proposal default
no crypto ikev2 policy default
crypto ikev2 policy ikev2-on-wan
 proposal AES256-SHA256-DH20
crypto ikev2 profile
 match address local
 match identity remote fqdn
 identity local fqdn
 authentication remote pre-share key 123456
 authentication local pre-share key 123456

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto map 10 ipsec-isakmp
 set peer
 set transform-set ESP-AES-SHA
 set pfs group20
 set ikev2-profile
 match address STRONGSWAN-to-CISCO

interface Dialer100
 description INTERNET
 --- snip ---
 crypto map to-Nexon-corp-dmz

ip access-list extended STRONGSWAN-to-CISCO
 permit ip host

Strong Swan Host

Add to existing /etc/ipsec.secrets file : PSK "123456"

New file /etc/swanctl/conf.d/

connections {
    cisco-example-com {
      version = 2
      remote_addrs =
      # AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
      proposals =  aes256-sha2_256-prfsha256-ecp384
      mobike = no
      fragmentation = no
      local {
        auth = psk
        id =
      remote {
        id =
        auth = psk
      children {
        cisco-example-com {
          # ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
          esp_proposals =  aes256-sha2_256
          start_action = trap
          local_ts  =
          remote_ts =

for some reason cisco do not like mobike and IKE fragmentation so it need to be disabled otherwise tunnel can only be established from Cisco side. start_action = trap added to config to establish tunnel only if “interesting” traffic is detected.

Usefull swanctl commands

  • swanctl -q reload config
  • swanctl -l list active tunnels
  • swanctl -t --ike cisco-example-com terminate existing IPSEC and IKE
  • swanctl -i --child cisco-example-com try to establish IKE+IPSEC good for debugging.