[strongSwan] Help to diagnose connection problem with Cisco ASA5585X
Jim Geurts
jim at mpirik.com
Sat May 9 16:20:06 CEST 2020
Hi,
I'm new to the world of strongswan and vpns in general, so I apologize if
this is answered elsewhere. I inherited a strongSwan box running Linux
strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco
ASA5585X. The connection was up and running a few days ago, but I've been
trying to get auto=route working (it was previously auto=start) and that
caused the tunnel to go up/down a couple times. Now the tunnel will not
establish a connection. To me, it seems like it's the phase 2 establishment
that is failing, but I'm curious if someone could help clear up what is
going on or which part is failing?
My understanding (waiting for verification) is that the
configured settings for the tunnel from the cisco side are:
Phase 1
Encryption algorithm: AES-256
Hash algorithm: SHA-512
DH Group: 14
Lifetime: 28800 (seconds)
Phase 2:
Mode: IKE V2 Tunnel
ESP Encryption algorithm: AES-256
ESP Hash algorithm: SHA-512
PFS: DH Group 14
Lifetime: 3600 (seconds)
I have the following ipsec.conf file for the tunnel:
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
conn %default
ikelifetime=480m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn FOO
leftid=205.251.242.103
left=172.30.101.187
leftsubnet=205.251.242.103/32
leftupdown=/tmp/vpn/firewall-rules.sh
right=176.32.98.166
rightsubnet=104.40.92.107/32
ike=aes256-sha512-modp2048!
keyexchange=ikev2
esp=aes256-sha2_512-modp2048!
rekeymargin=9m
type=tunnel
compress=no
authby=secret
auto=route
keyingtries=%forever
forceencaps=yes
mobike=no
ipsec statusall gives the following:
Status of IKE charon daemon (strongSwan 5.7.2, Linux
4.14.177-139.253.amzn2.x86_64, x86_64):
uptime: 19 hours, since May 08 18:56:20 2020
malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5
mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519
chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve
socket-default farp stroke vici updown eap-identity eap-sim eap-aka
eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
172.30.101.187
Connections:
FOO: 172.30.101.187...176.32.98.166 IKEv2
FOO: local: [205.251.242.103] uses pre-shared key authentication
FOO: remote: [176.32.98.166] uses pre-shared key authentication
FOO: child: 205.251.242.103/32 === 104.40.92.107/32 TUNNEL
Routed Connections:
FOO{1}: ROUTED, TUNNEL, reqid 1
FOO{1}: 205.251.242.103/32 === 104.40.92.107/32
Security Associations (0 up, 0 connecting):
none
Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try to
bring the tunnel up manually using ipsec up FOO, I get the following:
initiating IKE_SA FOO[1] to 176.32.98.166
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes)
received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(FRAG_SUP) V ]
received Cisco Delete Reason vendor ID
received Cisco Copyright (c) 2009 vendor ID
received FRAGMENTATION vendor ID
selected proposal:
IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
local host is behind NAT, sending keep alives
received 1 cert requests for an unknown ca
authentication of '205.251.242.103' (myself) with pre-shared key
establishing CHILD_SA FOO{2}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304 bytes)
received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208
bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
authentication of '176.32.98.166' with pre-shared key successful
IKE_SA FOO[1] established between
172.30.101.187[205.251.242.103]...176.32.98.166[176.32.98.166]
scheduling reauthentication in 28116s
maximum IKE_SA lifetime 28656s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'FOO' failed
Any help or direction would greatly be appreciated as I'm not really sure
what I can do next. Also, I'm hoping this is the underlying reason for
auto=route not working as expected. Thank you,
Jim
--
*Confidentiality and Privacy Notice: *Information transmitted by
this email is proprietary to [m]pirik and is intended for use only by the
individual or entity to which it is addressed, and may contain information
that is private, privileged, confidential or exempt from disclosure under
applicable law. All personal messages express views solely of the sender,
are not to be attributed to [m]pirik, and may not be copied or distributed
without this disclaimer. If you are not the intended recipient or it
appears that this mail has been forwarded to you without proper authority,
you are notified that any use or dissemination of this information in any
manner is strictly prohibited. In such cases, please delete this mail from
your records.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200509/16bd7766/attachment.html>
More information about the Users
mailing list