Config was tested between StrongSwan 5.9.1 on Debian and Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.8(3)M6

Setup

  • Strongswan host:
    • public IP: 2.2.2.2
    • private IP: 192.168.192.168
  • Cisco router:
    • public IP: 3.3.3.3
    • LAN: 10.10.10.1/24

      Cisco

crypto ikev2 proposal AES256-SHA256-DH20
 encryption aes-cbc-256
 integrity sha256
 group 20

no crypto ikev2 proposal default
!
no crypto ikev2 policy default
!
crypto ikev2 policy ikev2-on-wan
 proposal AES256-SHA256-DH20
!
crypto ikev2 profile strongswan.example.com
 match address local 3.3.3.3
 match identity remote fqdn strongswan.example.com
 identity local fqdn cisco.example.com
 authentication remote pre-share key 123456
 authentication local pre-share key 123456

crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha256-hmac
 mode tunnel
!
crypto map to-strongswan.example.com 10 ipsec-isakmp
 set peer 2.2.2.2
 set transform-set ESP-AES-SHA
 set pfs group20
 set ikev2-profile strongswan.example.com
 match address STRONGSWAN-to-CISCO

interface Dialer100
 description INTERNET
 --- snip ---
 crypto map to-Nexon-corp-dmz

ip access-list extended STRONGSWAN-to-CISCO
 permit ip 10.10.10.0 0.0.0.255 host 192.168.192.168

Strong Swan Host

Add to existing /etc/ipsec.secrets file

cisco.example.com : PSK "123456"

New file /etc/swanctl/conf.d/cisco.example.com.conf

connections {
    cisco-example-com {
      version = 2
      remote_addrs = 3.3.3.3
      # AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384
      proposals =  aes256-sha2_256-prfsha256-ecp384
      mobike = no
      fragmentation = no
      local {
        auth = psk
        id =  strongswan.example.com
      }
      remote {
        id = cisco.example.com
        auth = psk
      }
      children {
        cisco-example-com {
          # ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
          esp_proposals =  aes256-sha2_256
          start_action = trap
          local_ts  = 192.168.192.168/32
          remote_ts = 10.10.10.0/24
        }
      }
    }
  }

for some reason cisco do not like mobike and IKE fragmentation so it need to be disabled otherwise tunnel can only be established from Cisco side. start_action = trap added to config to establish tunnel only if “interesting” traffic is detected.

Usefull swanctl commands

  • swanctl -q reload config
  • swanctl -l list active tunnels
  • swanctl -t --ike cisco-example-com terminate existing IPSEC and IKE
  • swanctl -i --child cisco-example-com try to establish IKE+IPSEC good for debugging.

Updated: