I believe I am lacking some config line
Cisco IOS is on GNS3, Debian is a distant VM in an organization
Cisco config:
CISCO
crypto ikev2 proposal TEST
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 coverage TEST
proposal TEST
crypto ikev2 keyring TEST
peer TEST
deal with #white deal with debian#
pre-shared-key #key#
crypto ikev2 profile TEST
match id distant deal with #white deal with debian# 255.255.255.255
authentication native pre-share
authentication distant pre-share
keyring native TEST
crypto ipsec transform-set TEST esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile TEST
set transform-set TEST
set ikev2-profile TEST
ip access-list prolonged TEST
allow ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255
interface Tunnel0
ip deal with 192.168.1.1 255.255.255.0
tunnel supply #my house white deal with cisco#
tunnel vacation spot #white deal with debian#
tunnel safety ipsec profile TEST
router bgp 65000
bgp router-id 192.168.1.1
neighbor #white deal with debian# remote-as WHITE_ASN
community 192.168.1.0 masks 255.255.255.0
int e0/1
no shut
ip deal with dhcp
ip domain-lookup
LINUX VM
sudo apt replace -y
sudo apt set up strongswan -y
sudo apt set up strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y
sudo apt set up strongswan frr frr-pythontools
sudo systemctl allow strongswan-starter
sudo systemctl is-enabled strongswan-starter
systemctl standing strongswan-starter
sudo apt set up frr
sudo systemctl allow frr
sudo systemctl is-enabled frr
systemctl standing frr
sudo nano /and so on/sysctl.conf
internet.ipv4.ip_forward = 1
internet.ipv6.conf.all.forwarding = 1
internet.ipv4.conf.all.accept_redirects = 0
internet.ipv4.conf.all.send_redirects = 0
sudo sysctl -p
sudo nano /and so on/ipsec.conf
config setup
charondebug="all"
uniqueids=sure
conn TESTpc
kind=tunnel
auto=begin
keyexchange=ikev2
authby=secret
left=%any
leftsubnet=10.0.0.0/24
proper=#my house white deal with cisco#
rightsubnet=192.168.1.0/24
ike=aes256-sha256-modp1024
esp=aes256-sha256
aggressive=no
keyingtries=%without end
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
nat-keepalive=30
remote_peer_type=cisco
sudo nano /and so on/ipsec.secrets and techniques
#white deal with debian# #my house white deal with cisco# : PSK "#key#"
sudo nano /and so on/frr/frr.conf
router bgp WHITE ASN
bgp router-id 10.0.0.9
neighbor #my house white deal with cisco# remote-as 65000
community 10.0.0.0/24
sudo nano /and so on/strongswan.conf
charon {
nat_traversal = sure
sudo ipsec restart
sudo systemctl restart frr
After this I get subsequent logs on Debian:
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[IKE] initiating IKE_SA crocpc[1] to MY_WHITE_ADDRESS_CISCO
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[IKE] initiating IKE_SA crocpc[1] to MY_WHITE_ADDRESS_CISCO
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[ENC] producing IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[NET] sending packet: from 10.0.0.9[500] to MY_WHITE_ADDRESS_CISCO[500] (336 bytes)
Aug 23 16:20:25 ip-10-0-0-9 charon[4430]: 09[IKE] retransmit 1 of request with message ID 0
Aug 23 16:20:25 ip-10-0-0-9 charon[4430]: 09[NET] sending packet: from 10.0.0.9[500] to MY_WHITE_ADDRESS_CISCO[500] (336 bytes)