[strongSwan] Cisco ASA 5510 (8.4) Interop with StrongSwan 4.5.2 (IKEv2)

Neeraj Sharma kaju09 at aol.com
Tue Sep 4 13:23:20 CEST 2012 

Hi,
 
I am trying to interoperate the StrongSwan (IKEv2) client with Cisco ASA
5510 (v8.4.1), but it doesnt work. After some rigourous testing I was able
to make StrongSwan work with Cisco ASA, but only the IKEv1
(authby=xauthrsasig). The Cisco ASA is giving some strange errors and what
appears to be some sort of proprietary IKEv2 (doubtful since people have
interop with IOS and StrongSwan IKEv2).
 
The success traces of a Windows Cisco AnyConnect client along with the
non-working StrongSwan client (4.5.2) logs are uploaded to dropbox
(https://www.dropbox.com/sh/3yfdbdfahra5bn0/eR4_f07lNb?m).

I did attempt to compare the cisco vpn client logs with strongswan client
logs and it appears that the cisco vpn client is detected via some custom
fields and a different path is choosen (looks like some hidden
authentication method) instead of the usual rsa (authby=rsasig) route.
 
 
## StrongSwan Configuration
 
config setup
        interfaces="ipsec0=eth0"
        charondebug="dmn 20, mgr 20, ike 20, chd 20, job 20, cfg 20, knl 20,
net 20, lib 20"
        crlcheckinterval=30
        strictcrlpolicy=no
        nat_traversal=yes
        charonstart=yes
        plutostart=no

conn %default
        type=tunnel
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        dpdaction=clear
        dpddelay=30s
 
conn nat-t
       keyexchange=ikev2
       ike=3des-sha1-modp1536!
       authby=rsasig
       leftid="/C=IN/ST=Karnataka/L=Bangalore/O=xxxxxx India Pvt
Ltd/E=admin at india.xxxxxxx.com/CN=user at india.xxxxxxx.com/OU=XXXX_TEST"
       leftcert=clientcert.pem
       left=%defaultroute
       leftfirewall=no
       right=10.168.0.4
       rightid="/C=IN,/ST=Karnataka,/O=xxxxxxxx India Pvt
Ltd,/OU=XXXX_TEST,/CN=ciscoasa at india.xxxxxxx.com,/E=admin at india.xxxxxx.com"
       rightsendcert=never
       rightsubnet=10.168.0.0/16
       auto=add

include /var/lib/strongswan/ipsec.conf.inc
 
## Cisco ASA Failue Debug Traces Snippet
 
IKEv2-PROTO-5: (125): SM Trace-> SA: I_SPI=3CB810FD4C3978E4
R_SPI=BBB1A162EFFE3BB0 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event:
EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (125): SM Trace-> SA: I_SPI=3CB810FD4C3978E4
R_SPI=BBB1A162EFFE3BB0 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event:
EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-3: (125): Getting configured policies
IKEv2-PLAT-3: mapped to tunnel group XXXX_TEST using cert OU(s)
IKEv2-PLAT-3: (125) tg_name set to: XXXX_TEST
IKEv2-PLAT-3: (125) tunn grp type set to: RA
IKEv2-PLAT-3: Peer ID check started, received ID type: DER ASN1 DN
IKEv2-PLAT-3: Peer ID check: retreived DN from cert
IKEv2-PLAT-3: Peer ID check: matched by cert DN
IKEv2-PLAT-3: Peer ID check passed
IKEv2-PLAT-1: Failed to set P1 auth to build policy
IKEv2-PLAT-1: unable to build ikev2 policy
IKEv2-PROTO-1: (125): Failed to locate an item in the database
IKEv2-PROTO-1: (125): 
## Charon log snippet
 
Sep  4 10:51:01 user-Latitude-D520 charon: 05[NET] received packet: from
10.168.0.4[4500] to 10.168.0.28[4500]
Sep  4 10:51:01 user-Latitude-D520 charon: 05[NET] waiting for data on raw
sockets
Sep  4 10:51:01 user-Latitude-D520 charon: 14[MGR] checkout IKE_SA by
message
Sep  4 10:51:01 user-Latitude-D520 charon: 14[MGR] IKE_SA nat-t[1]
successfully checked out
Sep  4 10:51:01 user-Latitude-D520 charon: 14[NET] received packet: from
10.168.0.4[4500] to 10.168.0.28[4500]
Sep  4 10:51:01 user-Latitude-D520 charon: 14[ENC] parsed IKE_AUTH response
1 [ N(AUTH_FAILED) ]
Sep  4 10:51:01 user-Latitude-D520 charon: 14[IKE] received
AUTHENTICATION_FAILED notify error
Sep  4 10:51:01 user-Latitude-D520 charon: 14[KNL] deleting SAD entry with
SPI c76b002a
 
 
> Any pointers will be of great help.
 
Thanks
 
-Neeraj
kaju09 at aol.com

More information about the Users mailing list