[strongSwan] Help to diagnose connection problem with Cisco ASA5585X
Alex K
rightkicktech at gmail.com
Sun May 10 10:58:48 CEST 2020
On Sat, May 9, 2020, 17:19 Jim Geurts <jim at mpirik.com> wrote:
> Hi,
>
> I'm new to the world of strongswan and vpns in general, so I apologize if
> this is answered elsewhere. I inherited a strongSwan box running Linux
> strongSwan U5.7.2/K4.14.177-139.253.amzn2.x86_64. The other end is a Cisco
> ASA5585X. The connection was up and running a few days ago, but I've been
> trying to get auto=route working (it was previously auto=start) and that
> caused the tunnel to go up/down a couple times. Now the tunnel will not
> establish a connection. To me, it seems like it's the phase 2 establishment
> that is failing, but I'm curious if someone could help clear up what is
> going on or which part is failing?
>
> My understanding (waiting for verification) is that the
> configured settings for the tunnel from the cisco side are:
>
> Phase 1
> Encryption algorithm: AES-256
> Hash algorithm: SHA-512
> DH Group: 14
> Lifetime: 28800 (seconds)
>
> Phase 2:
> Mode: IKE V2 Tunnel
> ESP Encryption algorithm: AES-256
> ESP Hash algorithm: SHA-512
> PFS: DH Group 14
> Lifetime: 3600 (seconds)
>
> I have the following ipsec.conf file for the tunnel:
>
> config setup
> # strictcrlpolicy=yes
> # uniqueids = no
> charondebug="ike 2, knl 2,esp 2, cfg 2, chd 2, lib 2, net 2"
>
> conn %default
> ikelifetime=480m
> keylife=60m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
> authby=secret
>
> conn FOO
> leftid=205.251.242.103
> left=172.30.101.187
> leftsubnet=205.251.242.103/32
> leftupdown=/tmp/vpn/firewall-rules.sh
> right=176.32.98.166
> rightsubnet=104.40.92.107/32
> ike=aes256-sha512-modp2048!
> keyexchange=ikev2
> esp=aes256-sha2_512-modp2048!
> rekeymargin=9m
> type=tunnel
> compress=no
> authby=secret
> auto=route
> keyingtries=%forever
> forceencaps=yes
> mobike=no
>
>
> ipsec statusall gives the following:
>
> Status of IKE charon daemon (strongSwan 5.7.2, Linux
> 4.14.177-139.253.amzn2.x86_64, x86_64):
> uptime: 19 hours, since May 08 18:56:20 2020
> malloc: sbrk 1884160, mmap 0, used 828960, free 1055200
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5
> mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
> pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519
> chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve
> socket-default farp stroke vici updown eap-identity eap-sim eap-aka
> eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic
> eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam
> xauth-noauth dhcp led duplicheck unity counters
> Listening IP addresses:
> 172.30.101.187
> Connections:
> FOO: 172.30.101.187...176.32.98.166 IKEv2
> FOO: local: [205.251.242.103] uses pre-shared key
> authentication
> FOO: remote: [176.32.98.166] uses pre-shared key authentication
> FOO: child: 205.251.242.103/32 === 104.40.92.107/32 TUNNEL
> Routed Connections:
> FOO{1}: ROUTED, TUNNEL, reqid 1
> FOO{1}: 205.251.242.103/32 === 104.40.92.107/32
> Security Associations (0 up, 0 connecting):
> none
>
>
> Sending traffic to 104.40.92.107 does not bring the tunnel up. If I try to
> bring the tunnel up manually using ipsec up FOO, I get the following:
>
> initiating IKE_SA FOO[1] to 176.32.98.166
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> sending packet: from 172.30.101.187[500] to 176.32.98.166[500] (464 bytes)
> received packet: from 176.32.98.166[500] to 172.30.101.187[500] (599 bytes)
> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(FRAG_SUP) V ]
> received Cisco Delete Reason vendor ID
> received Cisco Copyright (c) 2009 vendor ID
> received FRAGMENTATION vendor ID
> selected proposal:
> IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048
> local host is behind NAT, sending keep alives
> received 1 cert requests for an unknown ca
> authentication of '205.251.242.103' (myself) with pre-shared key
> establishing CHILD_SA FOO{2}
> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
> N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> sending packet: from 172.30.101.187[4500] to 176.32.98.166[4500] (304
> bytes)
> received packet: from 176.32.98.166[4500] to 172.30.101.187[4500] (208
> bytes)
> parsed IKE_AUTH response 1 [ V IDr AUTH N(NO_PROP) ]
> authentication of '176.32.98.166' with pre-shared key successful
> IKE_SA FOO[1] established between
> 172.30.101.187[205.251.242.103]...176.32.98.166[176.32.98.166]
> scheduling reauthentication in 28116s
> maximum IKE_SA lifetime 28656s
> received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
>
I would try: esp=aes256-sha2_512-modp2048
failed to establish CHILD_SA, keeping IKE_SA
> establishing connection 'FOO' failed
>
>
> Any help or direction would greatly be appreciated as I'm not really sure
> what I can do next. Also, I'm hoping this is the underlying reason for
> auto=route not working as expected. Thank you,
>
> Jim
>
> *Confidentiality and Privacy Notice: *Information transmitted by this
> email is proprietary to [m]pirik and is intended for use only by the
> individual or entity to which it is addressed, and may contain information
> that is private, privileged, confidential or exempt from disclosure under
> applicable law. All personal messages express views solely of the sender,
> are not to be attributed to [m]pirik, and may not be copied or distributed
> without this disclaimer. If you are not the intended recipient or it
> appears that this mail has been forwarded to you without proper authority,
> you are notified that any use or dissemination of this information in any
> manner is strictly prohibited. In such cases, please delete this mail from
> your records.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200510/1590846b/attachment.html>
More information about the Users
mailing list