[strongSwan] Incorrect Phase II for Cisco IOS Transport VPN

John Marrett johnf at zioncluster.ca
Mon Apr 20 16:50:40 CEST 2015


With the assistance of Noel Kuntz (Thermi on #strongswan) and Cisco TAC
I've managed to resolve the problem.

The issue was that the Cisco device absolutely required the IPSec tunnel to
have the protocol limited to GRE (port 47).

The Cisco side of a functional tunnel is seen as follows in sh cry ips

   local  ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.2.0.96/255.255.255.255/47/0)

I had to configured my subnets as follows:

        leftsubnet=%dynamic[47/%any]
        rightsubnet=%dynamic[47/%any]

With this configuration in place I was able to successfully negotiate the
tunnel.

-JohnF

On Sun, Apr 19, 2015 at 8:34 PM, Miroslav Svoboda <goodmirek at goodmirek.cz>
wrote:

> Hi John,
>
> I think it is not possible to use transport mode with local (left) address
> from private range, not routable over internet, unless the peer is in the
> same private network.
> I suggest to try a change to "left=%any", "rightsubnet=0.0.0.0/0",
> "leftsourceip=%config". You should not specify "leftsubnet", it has same
> effect as "leftsubnet=%dynamic". Also delete "type=transport" or change
> it to tunnel.
> If that did not help, please can you increase loglevel as described here
> <https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration>
> and provide the log?
> Especially emphasized lines in bold below are important, achieved with
> following settings in strongswan.d/charon-logging.conf:
>             enc = 1
>             job = 1
>             cfg = 2
>             ike = 4
>             mgr = 4
>             knl = 2
>
> Also attach output of "ipsec statusall" command.
>
> Log should look like this, even though this is from VPN server to which
> roadwarriors are connecting to:
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> IKE_SA roadwarrior[1] state
> change: CONNECTING => ESTABLISHED
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> scheduling reauthentication in
> 9746s
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> maximum IKE_SA lifetime 10286s
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> sending end entity cert "C=CZ,
> O=Aloha, CN=swan.aloha.com"
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> peer requested virtual IP %any
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> assigning new lease to 'C=CZ,
> O=Aloha, CN=GoodBoy'
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> assigning virtual IP
> 192.168.55.1 to peer 'C=CZ, O=Aloha, CN=GoodBoy'
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> peer requested virtual IP %any6
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> no virtual IP found for %any6
> requested by 'C=CZ, O=Aloha, CN=GoodBoy'
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> building INTERNAL_IP4_DNS
> attribute
> 2015-04-18 21:40:28 10[IKE] <roadwarrior|1> building INTERNAL_IP4_DNS
> attribute
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1> looking for a child config
> for 0.0.0.0/0 <http://0.0.0.0/0> ::/0 === 0.0.0.0/0 <http://0.0.0.0/0> ::/0*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposing traffic selectors
> for us:*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  0.0.0.0/0 <http://0.0.0.0/0>*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1> proposing traffic selectors
> for other:*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  192.168.55.1/32
> <http://192.168.55.1/32>*
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   candidate "roadwarrior" with
> prio 10+2
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> found matching child config
> "roadwarrior" with prio 12
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   no acceptable
> ENCRYPTION_ALGORITHM found
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   no acceptable
> INTEGRITY_ALGORITHM found
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   no acceptable
> ENCRYPTION_ALGORITHM found
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting proposal:
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1>   proposal matches
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> received proposals:
> ESP:AES_GCM_16_128/AES_GCM_16_256/NO_EXT_SEQ,
> ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ,
> ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA1_96/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/NO_EXT_SEQ
> @
> 2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selected proposal:
> ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
> 2015-04-18 21:40:28 10[KNL] <roadwarrior|1> got SPI cff90361
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting traffic selectors
> for us:*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 0.0.0.0/0
> <http://0.0.0.0/0>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match:
> 0.0.0.0/0 <http://0.0.0.0/0>*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 0.0.0.0/0
> <http://0.0.0.0/0>, received: ::/0 => no match*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1> selecting traffic selectors
> for other:*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 192.168.55.1/32
> <http://192.168.55.1/32>, received: 0.0.0.0/0 <http://0.0.0.0/0> => match:
> 192.168.55.1/32 <http://192.168.55.1/32>*
> *2015-04-18 21:40:28 10[CFG] <roadwarrior|1>  config: 192.168.55.1/32
> <http://192.168.55.1/32>, received: ::/0 => no match*
> 2015-04-18 21:40:28 10[KNL] <roadwarrior|1> adding SAD entry with SPI
> cff90361 and reqid {1}  (mark 0/0x00000000)
> 2015-04-18 21:40:28 10[KNL] <roadwarrior|1>   using encryption algorithm
> AES_CBC with key size 128
> 2015-04-18 21:40:28 10[KNL] <roadwarrior|1>   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> 2015-04-18 21:40:28 10[KNL] <roadwarrior|1>   using replay window of 32
> packets
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding SAD entry with SPI
> a2210fbc and reqid {1}  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1>   using encryption algorithm
> AES_CBC with key size 128
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1>   using integrity algorithm
> HMAC_SHA1_96 with key size 160
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1>   using replay window of 32
> packets
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy 0.0.0.0/0 ===
> 192.168.55.1/32 out  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy 192.168.55.1/32
> === 0.0.0.0/0 in  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> adding policy 192.168.55.1/32
> === 0.0.0.0/0 fwd  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in
> traffic selector 0.0.0.0/0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to
> reach 176.74.128.37/32
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface
> eth0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> installing route:
> 192.168.55.1/32 via 10.20.30.1 src %any dev eth0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting iface index for eth0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 0.0.0.0/0 ===
> 192.168.55.1/32 out  (mark 0/0x00000000) already exists, increasing
> refcount
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 0.0.0.0/0 ===
> 192.168.55.1/32 out  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000) already exists, increasing refcount
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy
> 192.168.55.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000) already exists, increasing refcount
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy
> 192.168.55.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in
> traffic selector 0.0.0.0/0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to
> reach 176.74.128.37/32
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface
> eth0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> installing route:
> 192.168.55.1/32 via 10.20.30.1 src %any dev eth0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting iface index for eth0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 0.0.0.0/0 ===
> 192.168.55.1/32 out  (mark 0/0x00000000) already exists, increasing
> refcount
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy 0.0.0.0/0 ===
> 192.168.55.1/32 out  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 ===
> 0.0.0.0/0 in  (mark 0/0x00000000) already exists, increasing refcount
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy
> 192.168.55.1/32 === 0.0.0.0/0 in  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> policy 192.168.55.1/32 ===
> 0.0.0.0/0 fwd  (mark 0/0x00000000) already exists, increasing refcount
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> updating policy
> 192.168.55.1/32 === 0.0.0.0/0 fwd  (mark 0/0x00000000)
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> getting a local address in
> traffic selector 0.0.0.0/0
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using host %any
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> using 10.20.30.1 as nexthop to
> reach 176.74.128.37/32
> 2015-04-18 21:40:29 10[KNL] <roadwarrior|1> 10.20.30.40 is on interface
> eth0
> 2015-04-18 21:40:29 10[IKE] <roadwarrior|1> CHILD_SA roadwarrior{1}
> established with SPIs cff90361_i a2210fbc_o and TS 0.0.0.0/0 ===
> 192.168.55.1/32
> 2015-04-18 21:40:29 10[ENC] <roadwarrior|1> generating IKE_AUTH response 1
> [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
> N(NO_ADD_ADDR) ]
> 2015-04-18 21:40:29 10[NET] <roadwarrior|1> sending packet: from
> 10.20.30.40[4500] to 176.74.128.37[37370] (1612 bytes)
> 2015-04-18 21:40:29 10[MGR] <roadwarrior|1> checkin IKE_SA roadwarrior[1]
> 2015-04-18 21:40:29 10[MGR] <roadwarrior|1> check-in of IKE_SA successful.
>
> Regards,
> Miroslav
>
> On Saturday, April 18, 2015 at 2:57:02 PM UTC+2, John Marrett wrote:
>>
>> I'm trying to build a gre tunnel / transport based IPSec VPN between a
>> Cisco IOS router and a device running strongswan on openwrt. I successfully
>> negotiate phase 1 but then fail to negotiate phase 2.
>>
>> The Cisco device indicates proxy identities are not supported, which
>> would suggest that the IPSec session is being negotiated with the wrong IP
>> addresses. Here are the log messages from the Cisco device:
>>
>> .Apr 18 08:26:03.870: ISAKMP:(13414):Checking IPSec proposal 0
>> .Apr 18 08:26:03.870: ISAKMP: transform 1, ESP_AES
>> .Apr 18 08:26:03.870: ISAKMP:   attributes in transform:
>> .Apr 18 08:26:03.870: ISAKMP:      key length is 128
>> .Apr 18 08:26:03.870: ISAKMP:      authenticator is HMAC-SHA512
>> .Apr 18 08:26:03.870: ISAKMP:      encaps is 2 (Transport)
>> .Apr 18 08:26:03.870: ISAKMP:      SA life type in seconds
>> .Apr 18 08:26:03.870: ISAKMP:      SA life duration (basic) of 3600
>> .Apr 18 08:26:03.870: ISAKMP:(13414):atts are acceptable.
>> .Apr 18 08:26:03.870: IPSEC(ipsec_process_proposal): proxy identities not
>> supported
>> .Apr 18 08:26:03.870: ISAKMP:(13414): IPSec policy invalidated proposal
>> with error 32
>> .Apr 18 08:26:03.870: ISAKMP:(13414): phase 2 SA policy not acceptable!
>> (local x.x.x.x remote 10.2.0.29)
>>
>> And here is the configuration for strongswan. I had originally omitted
>> the subnet definitions but I added them to ensure that the correct subnets
>> were specified.
>>
>> conn host-host
>>     left=10.2.0.29
>>     leftid=10.2.0.29
>>     leftsubnet=10.2.0.29/32
>>     right=x.x.x.x
>>     rightid=x.x.x.x
>>     rightsubnet=x.x.x.x/32
>>     type=transport
>>     auto=start
>>     keyexchange=ikev1
>>     ike=aes128-sha256-modp4096!
>>     esp=aes128-sha512!
>>     authby=secret
>>
>> I am running strongswan 5.2.2 on Openwrt. The Cisco router is running a
>> dev special release of 15.3(3)M3.2.
>>
>> Thank you in advance for your help,
>>
>> -JohnF
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150420/88ad8ead/attachment-0001.html>


More information about the Users mailing list