Hello All:
We are using IKEv2 to Cisco IOS and have been doing do since 2021 with various TTNK FWs.
We are using IKEv2 with assymetric keys, meaning one key in the direction from the TTNK to the Cisco and a differnt key in the direction from the Cisco to the TTNK. That is, each IPSec tunnel has its own psk.
We upgraded one of our RUT951s to 7.10.2 which is the FW directly before the change was made to swanctl from ipsec. It worked fine with our config.
We then upgraded to the latest FW which is 22.3 and IPSec breaks. We are having difficulty troubleshooting as I have no idea what a properly formatted swanctl.conf looks like as compared to a properly formatted ipsec.conf file.
Here is the logread -f output:
root@CORS546:~# logread -f
749 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 13[IKE] <SOI|8> initiating IKE_SA SOI[8] to 103.205.244.106
750 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 13[CFG] <SOI|8> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
751 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 13[CFG] <SOI|8> sending supported signature hash algorithms: sha256 sha384 sha512 identity
752 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 13[ENC] <SOI|8> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
753 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 13[NET] <SOI|8> sending packet: from 100.69.138.130[500] to 103.205.244.106[500] (464 bytes)
754 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[NET] <SOI|8> received packet: from 103.205.244.106[500] to 100.69.138.130[500] (579 bytes)
755 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[ENC] <SOI|8> parsed IKE_SA_INIT response 0 [ SA KE No V V V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HTTP_CERT_LOOK) N(FRAG_SUP) V ]
756 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> received Cisco Delete Reason vendor ID
757 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[ENC] <SOI|8> received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
758 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[ENC] <SOI|8> received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
759 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> received Cisco FlexVPN Supported vendor ID
760 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> received FRAGMENTATION vendor ID
761 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[CFG] <SOI|8> selecting proposal:
762 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[CFG] <SOI|8> proposal matches
763 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[CFG] <SOI|8> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
764 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[CFG] <SOI|8> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
765 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[CFG] <SOI|8> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
766 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> local host is behind NAT, sending keep alives
767 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> cert payload ANY not supported - ignored
768 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> authentication of ‘CORS546’ (myself) with pre-shared key
769 Thu Jun 11 10:13:49 2026 daemon.info ipsec: 06[IKE] <SOI|8> no shared key found for ‘CORS546’ - ‘CCrouter’
As you can see, swanctl appears to have not parsed the PSK for the user keyid:CORS546 keyid:CCrouter.
This appears to be a FW issue in the router.
We usually edit the /etc/config/ipsec files directly but to make sure we have no mistakes, w took screen snaps of the TTNK WebUI IPSec setup screens on a working FW 10.2 unit and saved these and redid the IPsec on the 22.3 unit and it came out exactly the same, no different. Same error above.
Currently we will stay at 10.2 until this is fixed. Are there any comments from the development team on this?
Cheers,
john