1

Topic: site-to-site strongswan cisco asa - an error on child_sa

2

Re: site-to-site strongswan cisco asa - an error on child_sa

I not so in IPSec, well time answer nobody - I will try:
Begin exactly with that example the link on which you gave.
1) What for at you TWO ? The second works only (ikev2-proposal-client2) because in the first in gcm, and for you in  CBS (aes https://wiki.strongswan.org/projects/st … herSuites) .
And from the second 24 group and sha256) works only. I suggest to select ONE dial-up of algorithms and it everywhere to use (I know sha-1 became outdated a little, but let's it up).
AES (cbs)-128 / SHA-1 / DH-5.
On
crypto ikev2 proposal ikev2-proposal-client
encryption aes-cbc-128
integrity sha1
group 5
On
ike=aes128-sha1-modp1536
(modp1536 it DH-5, there above under the link it is visible)
2) In ESP on the side  at you at first Encryption (esp-aes-256) then Authentication (esp-sha-hmac).
On the side  aes128-sha1 (encryption which does not coincide with what on the side cisco) and aes128-sha256-modp2048s256 (it DH-24).
Make as in an example

crypto ipsec transform-set ipsec-ts-client esp-aes esp-sha-hmac

esp=aes128-sha1
And as to cut  on  and , and to take a detached view  too.

3

Re: site-to-site strongswan cisco asa - an error on child_sa

Similar do not coincide Proposal.
As on  it is used ikev2-profile-client with enciphering
"encryption aes-gcm-256 aes-gcm-128" which is not present on linux-e they and cannot
To coordinate SA, therefore make as you wrote in the first answer.
In debugging log cisco about it it is written:

[IPsec-> IKEv2] Callback received for the validate proposal - FAILED.
IKEv2-ERROR:(SESSION ID = 60692, SA ID = 1):Received Policies:: Failed to find a matching policyESP: Proposal 1: AES-CBC-128 SHA96 Don't use ESN
ESP: Proposal 2: AES-CBC-128 AES-CBC-192 AES-CBC-256 3DES BLOWFISH SHA96 AES XCBC 96 MD596 Don't use ESN
IKEv2-ERROR:(SESSION ID = 60692, SA ID = 1):Expected Policies:: Failed to find a matching policy
IKEv2-ERROR:(SESSION ID = 60692, SA ID = 1):: Failed to find a matching policy
... EV_NO_PROP_CHOSEN
IKEv2: (SESSION ID = 60692, SA ID = 1):Sending no proposal chosen notify