<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div class=""><div class="">Hello All,</div><div class=""><br class=""></div><div class="">I have an issue to set up VPN to Cisco ASA. Problem appeared on IKE side.</div><div class=""><br class=""></div><div class="">Log: </div><div class="">#------------------------------------------------------------------------------------</div><div class="">$ docker run -it --cap-add=NET_ADMIN --net=host -v $PWD/config/strongswan.conf:/etc/strongswan.conf -v $PWD/config/ipsec.conf:/etc/ipsec.conf -v $PWD/config/ipsec.secrets:/etc/ipsec.secrets -v $PWD/config/ipsec.d:/etc/ipsec.d --name=strongswan --rm strongswan</div><div class="">Starting strongSwan 5.6.2 IPsec [starter]...</div><div class="">ipsec_starter[1]: Starting strongSwan 5.6.2 IPsec [starter]...</div><div class=""># unknown keyword 'ikeylife'</div><div class="">ipsec_starter[1]: # unknown keyword 'ikeylife'</div><div class="">### 1 parsing error (0 fatal) ###</div><div class="">ipsec_starter[1]: ### 1 parsing error (0 fatal) ###</div><div class="">modprobe: can't change directory to '/lib/modules': No such file or directory</div><div class="">no netkey IPsec stack detected</div><div class="">ipsec_starter[1]: no netkey IPsec stack detected</div><div class="">modprobe: can't change directory to '/lib/modules': No such file or directory</div><div class="">no KLIPS IPsec stack detected</div><div class="">ipsec_starter[1]: no KLIPS IPsec stack detected</div><div class="">no known IPsec stack detected, ignoring!</div><div class="">ipsec_starter[1]: no known IPsec stack detected, ignoring!</div><div class="">00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64)</div><div class="">00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div><div class="">00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div><div class="">00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div class="">00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div class="">00[CFG] loading crls from '/etc/ipsec.d/crls'</div><div class="">00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div class="">00[CFG] loaded IKE secret for xx.xx.xx.xx</div><div class="">00[CFG] loaded 0 RADIUS server configurations</div><div class="">00[LIB] loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters</div><div class="">00[JOB] spawning 16 worker threads</div><div class="">charon (12) started after 20 ms</div><div class="">ipsec_starter[1]: charon (12) started after 20 ms</div><div class="">05[CFG] received stroke: add connection 'remote-asa'</div><div class="">05[CFG] added configuration 'remote-asa'</div><div class="">07[CFG] received stroke: initiate 'remote-asa'</div><div class="">07[IKE] initiating Main Mode IKE_SA remote-asa[1] to xx.xx.xx.xx</div><div class="">07[ENC] generating ID_PROT request 0 [ SA V V V V V V ]</div><div class="">07[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (272 bytes)</div><div class="">09[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (108 bytes)</div><div class="">09[ENC] parsed ID_PROT response 0 [ SA V ]</div><div class="">09[IKE] received NAT-T (RFC 3947) vendor ID</div><div class="">09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]</div><div class="">09[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (308 bytes)</div><div class="">10[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (368 bytes)</div><div class="">10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]</div><div class="">10[IKE] received Cisco Unity vendor ID</div><div class="">10[IKE] received DPD vendor ID</div><div class="">10[ENC] received unknown vendor ID: 78:96:0c:65:2b:d4:73:8d:af:cd:b5:00:63:a6:38:03</div><div class="">10[IKE] received XAuth vendor ID</div><div class="">10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]</div><div class="">10[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (108 bytes)</div><div class="">11[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (76 bytes)</div><div class="">11[ENC] parsed ID_PROT response 0 [ ID HASH ]</div><div class="">11[IKE] IKE_SA remote-asa[1] established between 45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]</div><div class="">11[IKE] scheduling reauthentication in 86138s</div><div class="">11[IKE] maximum IKE_SA lifetime 86318s</div><div class="">11[ENC] generating QUICK_MODE request 4088404241 [ HASH SA No ID ID ]</div><div class="">11[NET] sending packet: from 45.55.20.248[500] to xx.xx.xx.xx[500] (188 bytes)</div><div class="">12[NET] received packet: from xx.xx.xx.xx[500] to 45.55.20.248[500] (92 bytes)</div><div class="">12[ENC] parsed INFORMATIONAL_V1 request 2090615229 [ HASH N(NO_PROP) ]</div><div class="">12[IKE] received NO_PROPOSAL_CHOSEN error notify</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Status: </div><div class="">#------------------------------------------------------------------------------------</div><div class="">~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa</div><div class="">Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):</div><div class=""> uptime: 3 seconds, since Mar 19 14:30:08 2018</div><div class=""> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1</div><div class=""> loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters</div><div class="">Listening IP addresses:</div><div class=""> 45.55.20.248</div><div class=""> 2604:a880:1:20::120:9001</div><div class=""> 172.17.0.1</div><div class="">Connections:</div><div class=""> remote-asa: %any...xx.xx.xx.xx IKEv1</div><div class=""> remote-asa: local: [trueaccord] uses pre-shared key authentication</div><div class=""> remote-asa: remote: [xx.xx.xx.xx] uses pre-shared key authentication</div><div class=""> remote-asa: child: dynamic === 148.171.0.0/16 TUNNEL</div><div class="">Security Associations (0 up, 0 connecting):</div><div class=""> no match</div><div class="">apl@stratus01:~/alpine-strongswan-vpn$ docker exec -it strongswan ipsec statusall remote-asa</div><div class="">Status of IKE charon daemon (strongSwan 5.6.2, Linux 3.13.0-58-generic, x86_64):</div><div class=""> uptime: 2 seconds, since Mar 19 14:31:18 2018</div><div class=""> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6</div><div class=""> loaded plugins: charon aesni aes des rc2 sha2 sha3 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 chapoly xcbc cmac hmac gcm ntru newhope curl files attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls xauth-generic dhcp counters</div><div class="">Listening IP addresses:</div><div class=""> 45.55.20.248</div><div class=""> 2604:a880:1:20::120:9001</div><div class=""> 172.17.0.1</div><div class="">Connections:</div><div class=""> remote-asa: %any...xx.xx.xx.xx IKEv1</div><div class=""> remote-asa: local: [trueaccord] uses pre-shared key authentication</div><div class=""> remote-asa: remote: [xx.xx.xx.xx] uses pre-shared key authentication</div><div class=""> remote-asa: child: dynamic === 148.171.0.0/16 TUNNEL</div><div class="">Security Associations (1 up, 0 connecting):</div><div class=""> remote-asa[1]: ESTABLISHED 2 seconds ago, 45.55.20.248[trueaccord]...xx.xx.xx.xx[xx.xx.xx.xx]</div><div class=""> remote-asa[1]: IKEv1 SPIs: 563b49d3d678b72f_i* 8d51ab782bd5738d_r, pre-shared key reauthentication in 23 hours</div><div class=""> remote-asa[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Config:</div><div class="">#------------------------------------------------------------------------------------</div><div class="">config setup</div><div class=""> charondebug="dmni 4, mgr 4, ike 4, chd 4, job 4, cfg 4, knl 4, net 4, asn 4, enc 4, lib 4, esp 4, tls 4, tnc 4, imc 4, imv 4, pts 4"</div><div class=""># strictcrlpolicy=yes</div><div class=""><br class=""></div><div class="">conn %default</div><div class=""> ikelifetime=86400</div><div class=""> ikeylife=60m</div><div class=""> rekeymargin=3m</div><div class=""> keyingtries=1</div><div class=""> keyexchange=ikev1</div><div class=""> authby=secret</div><div class=""> ike=aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,aes256-sha1-modp1024,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!</div><div class=""> esp=aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1,aes128-sha1-modp1024,aes128-sha1-modp1536,aes128-sha1-modp2048,aes128-sha256,aes128-sha256-ecp256,aes128-sha256-modp1024,aes128-sha256-modp1536,aes128-sha256-modp2048,aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128gcm16,aes128gcm16-ecp256,aes256-sha1,aes256-sha256,aes256-sha256-modp1024,aes256-sha256-modp1536,aes256-sha256-modp2048,aes256-sha256-modp4096,aes256-sha384,aes256-sha384-ecp384,aes256-sha384-modp1024,aes256-sha384-modp1536,aes256-sha384-modp2048,aes256-sha384-modp4096,aes256gcm16,aes256gcm16-ecp384,3des-sha1!</div><div class=""><br class=""></div><div class="">conn remote-asa</div><div class=""> type=tunnel</div><div class=""> #server, remote side</div><div class=""> right=xx.xx.xx.xx</div><div class=""> rightsubnet=178.171.0.0/16</div><div class=""> rightid=xx.xx.xx.xx</div><div class=""><br class=""></div><div class=""> #leftsubnet=10.78.47.0/24</div><div class=""> leftid=trueaccord</div><div class=""> leftfirewall=yes</div><div class=""><br class=""></div><div class=""> auto=start</div><div class=""> keyexchange=ikev1</div><div class=""><br class=""></div><div class=""> ike=aes256-sha1-modp1536</div><div class=""> esp=aes256-sha1!</div><div class=""> ikelifetime=86400s</div><div class=""> aggressive=no</div><div class=""> lifebytes=4608000</div><div class=""> lifetime=3600</div></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I see the problem on IKE side, but don’t know how to debug and fix it.</div><div class="">Please help.</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class="">
<div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Thank you,</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class=""></div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;">Andrii Petrenko</div><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 16px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><a href="mailto:aplsms@gmail.com" class="">aplsms@gmail.com</a><span class="Apple-tab-span" style="white-space: pre;"> </span></div></div>
</div>
<br class=""></div></body></html>