site-to-site IPSec VPN between strongSwan and Cisco Router with IKEv2
Introduction
In previous post, we shared how to connect strongSwan (AWS) with Cisco Router (on-premise) using IKEv1.
As promised, we will show how to use IKEv2 for the same scenario.
It’s really simple to switch from IKEv1 to IKEv2. There is minimum change for strongSwan configuration, although there are quite some added configuration for Cisco.
Network diagram
The left side(mumbai) is using strongSwan hosted on AWS, and the right side(france) is using on-premise Cisco router. There is also NAT configured, because site-to-site VPN between different companies usually require the encryption domain to use public IP address.
| IP Info | Left side(mumbai) | Right side(france) |
| VPN device/sw | strongSwan 5.9.8 Debian 12 | Cisco C931-4P |
| VPN GW IP | 35.154.207.104 | 31.xxx.xxx.48 |
| Encryption Domain (VPN host or subnet) | 3.6.74.40 (NAT to 192.168.0.88) | 31.xxx.xxx.89 (NAT to 192.168.1.2) |
IPSec parameters
| Phase I Settings | |
| Authentication Method | Pre-Shared |
| Diffie-Helman Group | 2 (Mod1024) |
| Encryption Algorithm | AES256 |
| Hash Algorithm | SHA-1 |
| SA Timeout | 28800 |
| NAT-T | Enabled |
| Phase II Settings | |
| Encapsulation | ESP (encrypted) |
| Perfect Forward Secrecy (PFS) | NO PFS |
| Encryption Algorithm | AES256 |
| Hash Algorithm | SHA-1 |
| Lifetime (In Seconds) | 3600 (Default) |
Difference in configuration
strongSwan (mumbai)
/etc/swanctl/swanctl.conf: the change is minimum, only add one line “version = 2”, that’s it!
# default settings for all conns (e.g cert, IP pools)
conn-defaults {
version = 1
reauth_time = 28800
proposals = aes256-sha1-modp1024
}
# default settings for all child configs (e.g. traffic selectors)
child-defaults {
mode = tunnel
start_action = trap|start
rekey_time = 3600
}
connections {
mumbai-france : conn-defaults {
local_addrs = 192.168.0.33
remote_addrs = 31.xxx.xxx.48
proposals = aes256-sha1-modp1024
version = 2 # the only change required
mobike = no #optional
local {
auth = psk
id = 35.154.207.104
}
remote {
auth = psk
id = 31.xxx.xxx.48
}
children {
mumbai-france1 : child-defaults {
local_ts = 3.6.74.40/32
remote_ts = 31.xxx.xxx.89/32
start_action = trap|start
esp_proposals = aes256-sha1
}
}
}
}
secrets {
ike-1 {
# a - local, b - remote
id-1b = 31.xxx.xxx.48
secret = ANsvU5WIwmQ6
}
}Cisco Router (france)
On Cisco, there are some typing to do.
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
!
crypto ikev2 keyring keys
peer mumbai-strongswan
address 35.154.207.104
pre-shared-key local ANsvU5WIwmQ6
pre-shared-key remote ANsvU5WIwmQ6
!
crypto ikev2 profile ikev2profile
match identity remote address 35.154.207.104 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
!
crypto ipsec transform-set vpn-sha1-aes256 esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map francemap 2 ipsec-isakmp
set peer 35.154.207.104
set transform-set vpn-sha1-aes256
set ikev2-profile ikev2profile
match address TEST-MUMBAI-SS
!
ip nat inside source static 192.168.1.2 31.xxx.xxx.89
!
ip access-list extended TEST-MUMBAI-SS
permit ip host 31.xxx.xxx.89 host 3.6.74.40Verify VPN Status on Cisco Router
#sho crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 31.xxx.xxx.48/4500 35.154.207.104/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/150 sec
#show crypto session brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
35.154.207.104 Gi4 35.154.207.104 00:03:05 UAReferences
Cisco document: example config between strongSwan and Cisco router (IKEv1 and IKEv2)
https://docs.strongswan.org/docs/5.9/config/IKEv2CipherSuites.html