[strongSwan] ikev1 cisco l2l issue
Tormod Macleod
tormod.macleod at gmail.com
Fri Sep 11 16:22:26 CEST 2015
Hi Noel,
Thanks, increasing the DPD timeout got me past the initial problem.
However, I then run into a problem when the ciscoasa initiates a rekey of
the phase2 tunnel as below.
If I'm honest, I don't really understand how increasing the DPD timeout on
the ciscoasa got us past the first problem as without making that change
the ciscoasa was performing DPD against the previous set of SPIs. Don't
really understand how increasing DPD timers fixed that but I'm very glad it
did.
Suffice to say I've no idea what's going on here. It looks to me like the
ciscoasa kicks off a rekey and doesn't then like some of the parameters it
receives from strongswan although I can't see why that would be as they're
the same as they were when the tunnel was originally established.
As always, I'd be grateful for any help,
Cheers,
Tormod
Sep 11 14:40:12 localhost charon: 01[NET] received packet: from
2.2.2.2[4500] to 10.197.0.8[4500] (172 bytes)
Sep 11 14:40:12 localhost charon: 01[ENC] parsed QUICK_MODE request
1378200058 [ HASH SA No ID ID ]
Sep 11 14:40:12 localhost charon: 01[IKE] received 4608000000 lifebytes,
configured 0
Sep 11 14:40:12 localhost charon: 01[IKE] detected rekeying of CHILD_SA
remote-site{1}
Sep 11 14:40:12 localhost charon: 01[ENC] generating QUICK_MODE response
1378200058 [ HASH SA No ID ID ]
Sep 11 14:40:12 localhost charon: 01[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (188 bytes)
Sep 11 14:40:12 localhost charon: 08[NET] received packet: from
2.2.2.2[4500] to 10.197.0.8[4500] (108 bytes)
Sep 11 14:40:12 localhost charon: 08[ENC] parsed INFORMATIONAL_V1 request 0
[ N(NO_PROP) ]
Sep 11 14:40:12 localhost charon: 08[ENC] ignoring unprotected
INFORMATIONAL from 2.2.2.2
Sep 11 14:40:12 localhost charon: 08[IKE] message verification failed
Sep 11 14:40:12 localhost charon: 08[IKE] ignore malformed INFORMATIONAL
request
Sep 11 14:40:12 localhost charon: 08[IKE] INFORMATIONAL_V1 request with
message ID 0 processing failed
Sep 11 14:40:12 localhost charon: 10[NET] received packet: from
2.2.2.2[4500] to 10.197.0.8[4500] (76 bytes)
Sep 11 14:40:12 localhost charon: 10[ENC] invalid HASH_V1 payload length,
decryption failed?
Sep 11 14:40:12 localhost charon: 10[ENC] could not decrypt payloads
Sep 11 14:40:12 localhost charon: 10[IKE] message parsing failed
Sep 11 14:40:12 localhost charon: 10[IKE] ignore malformed INFORMATIONAL
request
Sep 11 14:40:12 localhost charon: 10[IKE] INFORMATIONAL_V1 request with
message ID 3402278071 processing failed
Sep 11 14:40:16 localhost charon: 11[IKE] sending DPD request
Sep 11 14:40:16 localhost charon: 11[ENC] generating INFORMATIONAL_V1
request 194359953 [ HASH N(DPD) ]
Sep 11 14:40:16 localhost charon: 11[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Sep 11 14:40:17 localhost charon: 13[IKE] sending retransmit 1 of response
message ID 1378200058, seq 4
Sep 11 14:40:17 localhost charon: 13[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (188 bytes)
Sep 11 14:40:21 localhost charon: 12[IKE] sending DPD request
Sep 11 14:40:21 localhost charon: 12[ENC] generating INFORMATIONAL_V1
request 2192883655 [ HASH N(DPD) ]
Sep 11 14:40:21 localhost charon: 12[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Sep 11 14:40:22 localhost charon: 03[IKE] sending retransmit 2 of response
message ID 1378200058, seq 4
Sep 11 14:40:22 localhost charon: 03[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (188 bytes)
Sep 11 14:40:26 localhost charon: 02[IKE] sending DPD request
Sep 11 14:40:26 localhost charon: 02[ENC] generating INFORMATIONAL_V1
request 2465606183 [ HASH N(DPD) ]
Sep 11 14:40:26 localhost charon: 02[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (92 bytes)
Sep 11 14:40:27 localhost charon: 01[IKE] sending retransmit 3 of response
message ID 1378200058, seq 4
Sep 11 14:40:27 localhost charon: 01[NET] sending packet: from
10.197.0.8[4500] to 2.2.2.2[4500] (188 bytes)
Sep 11 14:40:31 localhost charon: 08[JOB] DPD check timed out, enforcing
DPD action
Sep 11 2015 12:04:06 ciscoasa : %ASA-5-713119: Group = 1.1.1.1, IP =
1.1.1.1, PHASE 1 COMPLETED
Sep 11 2015 13:40:06 ciscoasa : %ASA-5-713041: Group = 1.1.1.1, IP =
1.1.1.1, IKE Initiator: Rekeying Phase 2, Intf OUTSIDE, IKE Peer 1.1.1.1
local Proxy Address 10.4.0.0, remote Proxy Address 172.16.10.0, Crypto map
(mymap)
Sep 11 2015 13:40:06 ciscoasa : %ASA-5-713257: Phase 2 failure: Mismatched
attribute types for class Encapsulation Mode: Rcv'd: UDP Tunnel(NAT-T)
Cfg'd: UDP Tunnel(NAT-T)
Sep 11 2015 13:40:06 ciscoasa : %ASA-3-713048: Group = 1.1.1.1, IP =
1.1.1.1, Error processing payload: Payload ID: 1
Sep 11 2015 13:40:06 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, QM FSM error (P2 struct &0xbc4354d0, mess id 0x5225a9fa)!
Sep 11 2015 13:40:11 ciscoasa : %ASA-5-713904: Group = 1.1.1.1, IP =
1.1.1.1, Received encrypted Oakley Informational packet with invalid
payloads, MessID = 194359953
Sep 11 2015 13:40:11 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, Received encrypted Oakley Quick Mode packet with invalid payloads,
MessID = 1378200058
Sep 11 2015 13:40:11 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, QM FSM error (P2 struct &0xbc4354d0, mess id 0x5225a9fa)!
Sep 11 2015 13:40:11 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, Removing peer from correlator table failed, no match!
Sep 11 2015 13:40:15 ciscoasa : %ASA-5-713904: Group = 1.1.1.1, IP =
1.1.1.1, Received encrypted Oakley Informational packet with invalid
payloads, MessID = 2192883655
Sep 11 2015 13:40:16 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, Received encrypted Oakley Quick Mode packet with invalid payloads,
MessID = 1378200058
Sep 11 2015 13:40:16 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, QM FSM error (P2 struct &0xbc4354d0, mess id 0x5225a9fa)!
Sep 11 2015 13:40:16 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, Removing peer from correlator table failed, no match!
Sep 11 2015 13:40:21 ciscoasa : %ASA-5-713904: Group = 1.1.1.1, IP =
1.1.1.1, Received encrypted Oakley Informational packet with invalid
payloads, MessID = 2465606183
Sep 11 2015 13:40:21 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, Received encrypted Oakley Quick Mode packet with invalid payloads,
MessID = 1378200058
Sep 11 2015 13:40:21 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, QM FSM error (P2 struct &0xbc4354d0, mess id 0x5225a9fa)!
Sep 11 2015 13:40:21 ciscoasa : %ASA-3-713902: Group = 1.1.1.1, IP =
1.1.1.1, Removing peer from correlator table failed, no match!
Sep 11 2015 13:40:36 ciscoasa : %ASA-5-713259: Group = 1.1.1.1, IP =
1.1.1.1, Session is being torn down. Reason: Unknown
Sep 11 2015 13:40:36 ciscoasa : %ASA-4-113019: Group = 1.1.1.1, Username =
1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN,
Duration: 7h:36m:30s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
Sep 11 2015 13:40:36 ciscoasa : %ASA-4-602304: IPSEC: An outbound
LAN-to-LAN SA (SPI= 0xC53802D8) between 2.2.2.2 and 1.1.1.1 (user= 1.1.1.1)
has been deleted.
Sep 11 2015 13:40:36 ciscoasa : %ASA-4-602304: IPSEC: An inbound LAN-to-LAN
SA (SPI= 0x051DBAE8) between 1.1.1.1 and 2.2.2.2 (user= 1.1.1.1) has been
deleted.
On 22 August 2015 at 01:51, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Tormod,
>
> > The phase 1 rekey is immediately successful but the tunnel is torn down
> by DPD on the cisco asa around 15 seconds later. It looks to me like a
> problem with the cisco asa as I understood that the initiator (in this case
> the strongswan instance) should be the one that initiates the rekey. And
> even then, it shouldn't rekey until the phase 1 lifetime is expiring. I
> thought I'd mail my problem to this list in the hope that someone might
> offer some advice. Hopefully I'm just doing something stupid.
> >
> Any side can initiate a rekey event. Try increasing the DPD timeout on the
> ASA to be 3x higher than the dpddelay setting of strongSwan.
>
> > dpdtimeout=10s
> > dpddelay=10s
>
> That doesn't make any sense. Sane values are dpddelay=5s and
> dpdtimeout=15s, so dpd times out after three packets or 15
> seconds without answer to a DPD packet.
>
> You should match that setting to the value in the cisco config:
> > isakmp keepalive threshold 10 retry 3
>
> - --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJV18eqAAoJEDg5KY9j7GZYm2kP/RS1mnKzj4DmpUVLY7+QgP5S
> P8Rz6y5EIBLuv+8Tdi40jZx7Ydq1bgxROEk5heVIhQaXYWWQmP+37qumWyY0rOtu
> YBfqJYWCdyhUdehRiCiwSSAzv3W2uiA+dNvOnufwNhg97gR7PYsESnOMAYDXPAEr
> 0rP/e6VF6I79KrXN5lBwx4SrH674L6s+NJEdYDFXMjEaxAsKBUoUKy9dhaVDr43i
> PwiFe4sOxvK7o3ckgQpN0DTMG0EoGl3DMiMP8ycAGBmifYdfmNHtz/uhZGYn4Onn
> sK/F6LMElWONeGrR9g2jkpkdGat0/V0bSMUp65bYjjmclw+h3X4UgqdLeZ15WD+c
> FInLXeX7i1HLEzMQrT9JyBYrIxlZfa6FkYUDof1VkNrGcKkCl5V79i1TRJlz3cj1
> x58O3o6O43OmXqt9xFHGIrh3j9/wEWXz+K58ZiqLGAOl2XXZVSky9U3Qd5uONTlV
> k/3Py6LaqdMMS6idGdwvNgHLMXR5O/f6n4nI7OXxj8qP0049jEKTGd+3ldCJtTtJ
> tQhd4uGVTbswFR4hJvWpRWouMM6PCpwtIaOV57tuBL70sZ+C5ItnBeDuQp2ptkCJ
> xoJR5R3QIhiS9gwj2KV8/Aj5gM6/PJRaFpSTgrbTou1ZS6chTIm60fFkuwYJOeNc
> 90NfQTnOuptCCISnMeFT
> =zcAl
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150911/24eecd63/attachment-0001.html>
More information about the Users
mailing list