[strongSwan] Help to diagnose connection problem with Cisco ASA5585X

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat May 9 19:50:47 CEST 2020


Hi,

The other peer has some problem with it. Review its logs.
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built

Kind regards

Noel

Am 09.05.20 um 16:20 schrieb Jim Geurts:
> Hi,
> 
> I'm new to the world of strongswan and vpns in general, so I apologize if this is answered elsewhere. I inherited a strongSwan box running Linux strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco ASA5585X. The connection was up and running a few days ago, but I've been trying to get auto=route working (it was previously auto=start) and that caused the tunnel to go up/down a couple times. Now the tunnel will not establish a connection. To me, it seems like it's the phase 2 establishment that is failing, but I'm curious if someone could help clear up what is going on or which part is failing?
> 
> My understanding (waiting for verification) is that the configured settings for the tunnel from the cisco side are:
> 
> Phase 1
>   Encryption algorithm: AES-256
>   Hash algorithm: SHA-512
>   DH Group: 14
>   Lifetime: 28800 (seconds)
> 
> Phase 2:
>   Mode: IKE V2 Tunnel
>   ESP Encryption algorithm: AES-256
>   ESP Hash algorithm: SHA-512
>   PFS: DH Group 14
>   Lifetime: 3600 (seconds)
> 
> I have the following ipsec.conf file for the tunnel:
> 
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>         charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
> 
> conn %default
>         ikelifetime=480m
>         keylife=60m
>         rekeymargin=3m
>         keyingtries=1
>         keyexchange=ikev1
>         authby=secret
> 
> conn FOO
>         leftid=205.251.242.103
>         left=172.30.101.187
>         leftsubnet=205.251.242.103/32 <http://205.251.242.103/32>
>         leftupdown=/tmp/vpn/firewall-rules.sh
>         right=176.32.98.166
>         rightsubnet=104.40.92.107/32 <http://104.40.92.107/32>
>         ike=aes256-sha512-modp2048!
>         keyexchange=ikev2
>         esp=aes256-sha2_512-modp2048!
>         rekeymargin=9m
>         type=tunnel
>         compress=no
>         authby=secret
>         auto=route
>         keyingtries=%forever
>         forceencaps=yes
>         mobike=no
> 
> 
> ipsec statusall gives the following:
> 
> Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.14.177-139.253.amzn2.x86_64, x86_64):
>   uptime: 19 hours, since May 08 18:56:20 2020
>   malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
> Listening IP addresses:
>   172.30.101.187
> Connections:
>          FOO:  172.30.101.187...176.32.98.166  IKEv2
>          FOO:   local:  [205.251.242.103] uses pre-shared key authentication
>          FOO:   remote: [176.32.98.166] uses pre-shared key authentication
>          FOO:   child:  205.251.242.103/32 <http://205.251.242.103/32> === 104.40.92.107/32 <http://104.40.92.107/32> TUNNEL
> Routed Connections:
>          FOO{1}:  ROUTED, TUNNEL, reqid 1
>          FOO{1}:   205.251.242.103/32 <http://205.251.242.103/32> === 104.40.92.107/32 <http://104.40.92.107/32>
> Security Associations (0 up, 0 connecting):
>   none
> 
> 
> Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try to bring the tunnel up manually using ipsec up FOO, I get the following:
> 
> initiating IKE_SA FOO[1] to 176.32.98.166
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes)
> received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
> received Cisco Delete Reason vendor ID
> received Cisco Copyright (c) 2009 vendor ID
> received FRAGMENTATION vendor ID
> selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> local host is behind NAT, sending keep alives
> received 1 cert requests for an unknown ca
> authentication of '205.251.242.103' (myself) with pre-shared key
> establishing CHILD_SA FOO{2}
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304 bytes)
> received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208 bytes)
> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
> authentication of '176.32.98.166' with pre-shared key successful
> IKE_SA FOO[1] established between 172.30.101.187[205.251.242.103]...176.32.98.166[176.32.98.166]
> scheduling reauthentication in 28116s
> maximum IKE_SA lifetime 28656s
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
> failed to establish CHILD_SA, keeping IKE_SA
> establishing connection 'FOO' failed
> 
> 
> Any help or direction would greatly be appreciated as I'm not really sure what I can do next. Also, I'm hoping this is the underlying reason for auto=route not working as expected. Thank you,
> 
> Jim
> 
> *Confidentiality and Privacy Notice: *Information transmitted by this email is proprietary to [m]pirik and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. All personal messages express views solely of the sender, are not to be attributed to [m]pirik, and may not be copied or distributed without this disclaimer. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200509/534af365/attachment-0001.sig>


More information about the Users mailing list