[strongSwan] StrongSwan to CiscoASA connection fails every few days
Tormod Macleod
TMacleod at paywizard.com
Sat Jan 17 12:14:23 CET 2015
Hello list,
I'm using StrongSwan 5.2.0 running on CentOS6.5 the other end of the VPN is a Cisco ASA running 9.1(3)
Every few days the connection drops out and we have to do ipsec restart on the StrongSwan end. I've tried using IkeV1 and IkeV2 but it doesn't seem to make any difference. I'd be grateful if someone could give me some advice on where the problem might lie. I'm pretty stumped I'm afraid.
The connection died around 08:22 this morning. I've attached the messages file and some config
Here's a ipsec statusall from the StrongSwan box right now...
Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.3.3.el6.x86_64, x86_64):
uptime: 41 hours, since Jan 15 17:09:11 2015
malloc: sbrk 270336, mmap 0, used 205008, free 65328
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.1.1.1
Connections:
ciscoios: 10.1.1.1...444.444.444.444 IKEv2
ciscoios: local: [10.1.1.1] uses pre-shared key authentication
ciscoios: remote: [444.444.444.444] uses pre-shared key authentication
ciscoios: child: 10.1.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (0 up, 0 connecting):
none
And some stats from the ASA
ASA# sh crypto ikev2 sa
There are no IKEv2 SAs
ASA# sh crypto ipsec sa
There are no ipsec sas
If I restart the connection here's what the statusall looks like
Status of IKE charon daemon (strongSwan 5.2.0, Linux 2.6.32-504.3.3.el6.x86_64, x86_64):
uptime: 22 seconds, since Jan 17 10:58:27 2015
malloc: sbrk 270336, mmap 0, used 205008, free 65328
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
10.1.1.1
Connections:
ciscoios: 10.1.1.1...444.444.444.444 IKEv2
ciscoios: local: [10.1.1.1] uses pre-shared key authentication
ciscoios: remote: [444.444.444.444] uses pre-shared key authentication
ciscoios: child: 10.1.0.0/16 === 192.168.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
ciscoios[1]: ESTABLISHED 22 seconds ago, 10.1.1.1[10.1.1.1]...444.444.444.444[444.444.444.444]
ciscoios[1]: IKEv2 SPIs: de5d948f9c8f22af_i* cb7c5a2906edd007_r, pre-shared key reauthentication in 23 hours
ciscoios[1]: IKE proposal: AES_CBC_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536
ciscoios{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c96684fa_i 94701406_o
ciscoios{1}: AES_CBC_128/HMAC_SHA1_96, 2436 bytes_i (29 pkts, 1s ago), 2436 bytes_o (29 pkts, 1s ago), rekeying in 54 minutes
ciscoios{1}: 10.1.0.0/16 === 192.168.0.0/16
And here's some stats from the ASA
ASA# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:22, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
321156029 444.444.444.444/4500 333.333.333.333/4500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/163 sec
Session-id: 22
Status Description: Negotiation done
Local spi: 07D0ED06295A7CCB Remote spi: AF228F9C8F945DDE
Local id: 444.444.444.444
Remote id: 10.1.1.1
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 0 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is detected outside
Child sa: local selector 192.168.0.0/0 - 192.168.255.255/65535
remote selector 10.1.0.0/0 - 10.1.255.255/65535
ESP spi in/out: 0x94701406/0xc96684fa
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 128, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA# sh crypto ipsec sa
interface: OUTSIDE
Crypto map tag: mymap, seq num: 1, local addr: 444.444.444.444
access-list AWSInt-VPN-ACL extended permit ip 192.168.0.0 255.255.0.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: 333.333.333.333
#pkts encaps: 443, #pkts encrypt: 443, #pkts digest: 443
#pkts decaps: 443, #pkts decrypt: 443, #pkts verify: 443
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 443, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 444.444.444.444/4500, remote crypto endpt.: 333.333.333.333/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C96684FA
current inbound spi : 94701406
inbound esp sas:
spi: 0x94701406 (2490373126)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 598016, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4008923/28564)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC96684FA (3378939130)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, IKEv2, }
slot: 0, conn_id: 598016, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4331483/28564)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Any advice will be gratefully received.
Cheers,
Tormod
Please consider the environment before printing this email
*********************************************************************
This e-mail and any attachments are confidential. If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it. If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC. The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC. This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses. PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ. ********************************************************************
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150117/1636479a/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ciscoASAconfig.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150117/1636479a/attachment-0002.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.conf
Type: application/octet-stream
Size: 532 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150117/1636479a/attachment-0001.obj>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: messages.txt
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150117/1636479a/attachment-0003.txt>
More information about the Users
mailing list