[strongSwan] Issues with Cisco ASA S2S tunnels with StrongSwan IN AWS EC2
SoboL
sobol at sobol.org
Sun Nov 29 22:52:47 CET 2015
Hey All,
I had much success when running Cisco ASA tunnels with StrongSwan for
one subnet only.
Ever since I had requirement to tunnel multiple networks I started to
have problems with stability of tunnel for one of the networks.
Where traffic is initiated from Cisco ASA for any of the networks the
tunnel comes up and works, but re-keying or traffic initiated from
secondary networks
behind StrongSwan won't bring the tunnel up. Restarting ipsec sometimes
helps.
For each of those networks I've created separate net-net listing.
Then I figured I put all networks in rightsubnet, though in this mode
tunnels break every few minutes and then come back.
Here is some debug:
Nat instance:
root at nat01:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64,
x86_64):
uptime: 4 days, since Nov 24 22:02:44 2015
malloc: sbrk 1548288, mmap 0, used 613744, free 934544
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1047
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve
socket-default stroke updown
Listening IP addresses:
10.0.1.101
Connections:
net-net0: 10.0.1.101...94.1.1.1 IKEv2, dpddelay=60s
net-net0: local: [52.1.1.1] uses pre-shared key authentication
net-net0: remote: [94.1.1.1] uses pre-shared key authentication
net-net0: child: 10.0.0.0/20 === 94.1.1.1/32 172.30.0.0/22
192.168.20.0/24 192.168.0.0/20 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
net-net0[2566]: ESTABLISHED 93 seconds ago,
10.0.1.101[52.17.234.13]...94.236.82.4[94.236.82.4]
net-net0[2566]: IKEv2 SPIs: 610364da30e6ed96_i* 6c1f5e43b997c3f7_r,
pre-shared key reauthentication in 23 hours
net-net0[2566]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
net-net0[2566]: Tasks queued: CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE CHILD_CREATE
net-net0[2566]: Tasks active: CHILD_CREATE
net-net0{486}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9ac47e3_i
6a76157d_o
net-net0{486}: AES_CBC_256/HMAC_SHA1_96, 216200 bytes_i (303 pkts,
84s ago), 6660 bytes_o (126 pkts, 84s ago), rekeying in 54 minutes
net-net0{486}: 10.0.0.0/20 === 192.168.0.0/20
net-net0{2573}: INSTALLED, TUNNEL, ESP in UDP SPIs: c152d731_i
42f2f40b_o
net-net0{2573}: AES_CBC_256/HMAC_SHA1_96, 11016 bytes_i (109 pkts,
0s ago), 8016 bytes_o (73 pkts, 10s ago), rekeying in 55 minutes
net-net0{2573}: 10.0.0.0/20 === 172.30.0.0/22
root at nat01:~#
Cisco ASA
asa# show crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:13470, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
1369521805 94.1.1.1/4500 52.1.1.1/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign:
PSK, Auth verify: PSK
Life/Active Time: 86400/6 sec
Child sa: local selector 192.168.0.0/0 - 192.168.15.255/65535
remote selector 10.0.0.0/0 - 10.0.15.255/65535
ESP spi in/out: 0xa4abb9cb/0xc6ed72a9
asa#
asa# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 94.1.1.1
access-list outside_cryptomap extended permit ip 192.168.0.0
255.255.240.0 10.0.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.0.0/255.255.240.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.240.0/0/0)
current_peer: 52.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 94.1.1.1/4500, remote crypto endpt.:
52.1.1.1/4500
path mtu 1500, ipsec overhead 82(52), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C6ED72A9
current inbound spi : A4ABB9CB
inbound esp sas:
spi: 0xA4ABB9CB (2762717643)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 5,
IKEv2, }
slot: 0, conn_id: 58875904, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 3554
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC6ED72A9 (3337450153)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, PFS Group 5,
IKEv2, }
slot: 0, conn_id: 58875904, crypto-map: outside_map
sa timing: remaining key lifetime (sec): 3553
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
And my configs:
EC2 Nat instance:
# basic configuration
config setup
# plutodebug=all
# strictcrlpolicy=yes
# cachecrls=yes
charondebug="ike 1, knl 1, cfg 1"
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=86400s # Phase 1
lifetime=3600s # Phase 2
margintime=180s
keyexchange=ikev2
rekey=yes
keyingtries=0
type=tunnel
authby=secret
dpdaction=restart
dpddelay=60s
dpdtimeout=60
conn net-net0
leftfirewall = yes
left=10.0.1.101
leftsubnet=10.0.0.0/20
leftid=52.1.1.1
right=94.1.1.1
rightid=94.1.1.1
rightsubnet=94.1.1.1,172.30.0.0/22,192.168.20.0/24,192.168.0.0/20
ike=aes256-sha1-modp1536
esp=aes256-sha1-modp1536
authby=secret
auto=start
include /var/lib/strongswan/ipsec.conf.inc
Cisco ASA:
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes unlimited
crypto ipsec security-association pmtu-aging infinite
crypto ipsec fragmentation after-encryption dmz
crypto ipsec fragmentation after-encryption dmz_backbone
crypto ipsec fragmentation after-encryption Management
crypto ipsec fragmentation after-encryption inside
crypto dynamic-map rack 65000 set ikev1 transform-set ESP-AES-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev1 transform-set
TRANS_ESP_AES128_SHA TRANS_ESP_3DES_SHA trans1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set ikev2 ipsec-proposal
AES256 AES192 AES 3DES DES
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set df-bit clear-df
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set reverse-route
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 52.1.1.1
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 set security-association lifetime seconds 3600
crypto map outside_map 1 set security-association lifetime kilobytes
unlimited
crypto map outside_map 1 set df-bit clear-df
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp nat-traversal 60
crypto ikev2 policy 1
crypto ikev2 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
tunnel-group 52.1.1.1 type ipsec-l2l
tunnel-group 52.1.1.1 general-attributes
default-group-policy GroupPolicy_52.1.1.1
tunnel-group 52.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive threshold 10 retry 3
Any help appreciated :)
Thanks
More information about the Users
mailing list